From c000cad09d0b54c455c99271bfb996c2dfe13073 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 03:23:53 +0200 Subject: Adding upstream version 2.4.47+dfsg. Signed-off-by: Daniel Baumann --- servers/Makefile.in | 17 + servers/slapd/DB_CONFIG | 28 + servers/slapd/Makefile.in | 460 ++ servers/slapd/abandon.c | 141 + servers/slapd/aci.c | 1835 +++++ servers/slapd/acl.c | 2689 +++++++ servers/slapd/aclparse.c | 2869 ++++++++ servers/slapd/ad.c | 1312 ++++ servers/slapd/add.c | 686 ++ servers/slapd/alock.c | 718 ++ servers/slapd/alock.h | 74 + servers/slapd/at.c | 1108 +++ servers/slapd/attr.c | 722 ++ servers/slapd/ava.c | 133 + servers/slapd/back-bdb/Makefile.in | 53 + servers/slapd/back-bdb/add.c | 547 ++ servers/slapd/back-bdb/attr.c | 441 ++ servers/slapd/back-bdb/back-bdb.h | 377 + servers/slapd/back-bdb/bind.c | 166 + servers/slapd/back-bdb/cache.c | 1692 +++++ servers/slapd/back-bdb/compare.c | 143 + servers/slapd/back-bdb/config.c | 951 +++ servers/slapd/back-bdb/dbcache.c | 210 + servers/slapd/back-bdb/delete.c | 605 ++ servers/slapd/back-bdb/dn2entry.c | 84 + servers/slapd/back-bdb/dn2id.c | 1215 ++++ servers/slapd/back-bdb/error.c | 62 + servers/slapd/back-bdb/extended.c | 54 + servers/slapd/back-bdb/filterindex.c | 1183 +++ servers/slapd/back-bdb/id2entry.c | 446 ++ servers/slapd/back-bdb/idl.c | 1570 ++++ servers/slapd/back-bdb/idl.h | 75 + servers/slapd/back-bdb/index.c | 574 ++ servers/slapd/back-bdb/init.c | 874 +++ servers/slapd/back-bdb/key.c | 104 + servers/slapd/back-bdb/modify.c | 835 +++ servers/slapd/back-bdb/modrdn.c | 842 +++ servers/slapd/back-bdb/monitor.c | 724 ++ servers/slapd/back-bdb/nextid.c | 80 + servers/slapd/back-bdb/operational.c | 151 + servers/slapd/back-bdb/proto-bdb.h | 678 ++ servers/slapd/back-bdb/referral.c | 152 + servers/slapd/back-bdb/search.c | 1388 ++++ servers/slapd/back-bdb/tools.c | 1327 ++++ servers/slapd/back-bdb/trans.c | 56 + servers/slapd/back-dnssrv/Makefile.in | 46 + servers/slapd/back-dnssrv/bind.c | 79 + servers/slapd/back-dnssrv/compare.c | 46 + servers/slapd/back-dnssrv/config.c | 54 + servers/slapd/back-dnssrv/init.c | 115 + servers/slapd/back-dnssrv/proto-dnssrv.h | 46 + servers/slapd/back-dnssrv/referral.c | 129 + servers/slapd/back-dnssrv/search.c | 240 + servers/slapd/back-hdb/Makefile.in | 70 + servers/slapd/back-hdb/back-bdb.h | 31 + servers/slapd/back-ldap/Makefile.in | 45 + servers/slapd/back-ldap/TODO.proxy | 101 + servers/slapd/back-ldap/add.c | 139 + servers/slapd/back-ldap/back-ldap.h | 475 ++ servers/slapd/back-ldap/bind.c | 3068 ++++++++ servers/slapd/back-ldap/chain.c | 2333 ++++++ servers/slapd/back-ldap/compare.c | 88 + servers/slapd/back-ldap/config.c | 2461 +++++++ servers/slapd/back-ldap/delete.c | 85 + servers/slapd/back-ldap/distproc.c | 1017 +++ servers/slapd/back-ldap/extended.c | 410 ++ servers/slapd/back-ldap/init.c | 362 + servers/slapd/back-ldap/modify.c | 136 + servers/slapd/back-ldap/modrdn.c | 123 + servers/slapd/back-ldap/monitor.c | 1072 +++ servers/slapd/back-ldap/pbind.c | 173 + servers/slapd/back-ldap/proto-ldap.h | 124 + servers/slapd/back-ldap/search.c | 1041 +++ servers/slapd/back-ldap/unbind.c | 78 + servers/slapd/back-ldif/Makefile.in | 41 + servers/slapd/back-ldif/ldif.c | 1936 +++++ servers/slapd/back-mdb/Makefile.in | 62 + servers/slapd/back-mdb/add.c | 465 ++ servers/slapd/back-mdb/attr.c | 630 ++ servers/slapd/back-mdb/back-mdb.h | 206 + servers/slapd/back-mdb/bind.c | 158 + servers/slapd/back-mdb/compare.c | 142 + servers/slapd/back-mdb/config.c | 694 ++ servers/slapd/back-mdb/delete.c | 479 ++ servers/slapd/back-mdb/dn2entry.c | 79 + servers/slapd/back-mdb/dn2id.c | 967 +++ servers/slapd/back-mdb/extended.c | 54 + servers/slapd/back-mdb/filterindex.c | 1173 +++ servers/slapd/back-mdb/id2entry.c | 761 ++ servers/slapd/back-mdb/idl.c | 1255 ++++ servers/slapd/back-mdb/idl.h | 116 + servers/slapd/back-mdb/index.c | 575 ++ servers/slapd/back-mdb/init.c | 497 ++ servers/slapd/back-mdb/key.c | 72 + servers/slapd/back-mdb/modify.c | 748 ++ servers/slapd/back-mdb/modrdn.c | 672 ++ servers/slapd/back-mdb/monitor.c | 657 ++ servers/slapd/back-mdb/nextid.c | 53 + servers/slapd/back-mdb/operational.c | 121 + servers/slapd/back-mdb/proto-mdb.h | 393 + servers/slapd/back-mdb/referral.c | 151 + servers/slapd/back-mdb/search.c | 1500 ++++ servers/slapd/back-mdb/tools.c | 1501 ++++ servers/slapd/back-meta/Makefile.in | 45 + servers/slapd/back-meta/add.c | 211 + servers/slapd/back-meta/back-meta.h | 705 ++ servers/slapd/back-meta/bind.c | 1771 +++++ servers/slapd/back-meta/candidates.c | 284 + servers/slapd/back-meta/compare.c | 154 + servers/slapd/back-meta/config.c | 3385 +++++++++ servers/slapd/back-meta/conn.c | 1910 +++++ servers/slapd/back-meta/delete.c | 103 + servers/slapd/back-meta/dncache.c | 235 + servers/slapd/back-meta/init.c | 475 ++ servers/slapd/back-meta/map.c | 877 +++ servers/slapd/back-meta/modify.c | 221 + servers/slapd/back-meta/modrdn.c | 177 + servers/slapd/back-meta/proto-meta.h | 54 + servers/slapd/back-meta/search.c | 2462 +++++++ servers/slapd/back-meta/suffixmassage.c | 193 + servers/slapd/back-meta/unbind.c | 89 + servers/slapd/back-monitor/Makefile.in | 49 + servers/slapd/back-monitor/README | 243 + servers/slapd/back-monitor/back-monitor.h | 324 + servers/slapd/back-monitor/backend.c | 160 + servers/slapd/back-monitor/bind.c | 48 + servers/slapd/back-monitor/cache.c | 449 ++ servers/slapd/back-monitor/compare.c | 76 + servers/slapd/back-monitor/conn.c | 528 ++ servers/slapd/back-monitor/database.c | 1048 +++ servers/slapd/back-monitor/entry.c | 223 + servers/slapd/back-monitor/init.c | 2598 +++++++ servers/slapd/back-monitor/listener.c | 138 + servers/slapd/back-monitor/log.c | 455 ++ servers/slapd/back-monitor/modify.c | 90 + servers/slapd/back-monitor/operation.c | 249 + servers/slapd/back-monitor/operational.c | 72 + servers/slapd/back-monitor/overlay.c | 141 + servers/slapd/back-monitor/proto-back-monitor.h | 338 + servers/slapd/back-monitor/rww.c | 232 + servers/slapd/back-monitor/search.c | 271 + servers/slapd/back-monitor/sent.c | 241 + servers/slapd/back-monitor/thread.c | 358 + servers/slapd/back-monitor/time.c | 247 + servers/slapd/back-ndb/Makefile.in | 59 + servers/slapd/back-ndb/TODO | 6 + servers/slapd/back-ndb/add.cpp | 347 + servers/slapd/back-ndb/attrsets.conf | 36 + servers/slapd/back-ndb/back-ndb.h | 168 + servers/slapd/back-ndb/bind.cpp | 165 + servers/slapd/back-ndb/compare.cpp | 169 + servers/slapd/back-ndb/config.cpp | 333 + servers/slapd/back-ndb/delete.cpp | 322 + servers/slapd/back-ndb/init.cpp | 451 ++ servers/slapd/back-ndb/modify.cpp | 704 ++ servers/slapd/back-ndb/modrdn.cpp | 558 ++ servers/slapd/back-ndb/ndbio.cpp | 1677 +++++ servers/slapd/back-ndb/proto-ndb.h | 166 + servers/slapd/back-ndb/search.cpp | 854 +++ servers/slapd/back-ndb/tools.cpp | 544 ++ servers/slapd/back-null/Makefile.in | 41 + servers/slapd/back-null/README | 1 + servers/slapd/back-null/null.c | 470 ++ servers/slapd/back-passwd/Makefile.in | 41 + servers/slapd/back-passwd/back-passwd.h | 31 + servers/slapd/back-passwd/config.c | 73 + servers/slapd/back-passwd/init.c | 122 + servers/slapd/back-passwd/proto-passwd.h | 33 + servers/slapd/back-passwd/search.c | 365 + servers/slapd/back-perl/Makefile.in | 46 + servers/slapd/back-perl/README | 24 + servers/slapd/back-perl/SampleLDAP.pm | 171 + servers/slapd/back-perl/add.c | 62 + servers/slapd/back-perl/asperl_undefs.h | 38 + servers/slapd/back-perl/bind.c | 80 + servers/slapd/back-perl/close.c | 59 + servers/slapd/back-perl/compare.c | 80 + servers/slapd/back-perl/config.c | 254 + servers/slapd/back-perl/delete.c | 59 + servers/slapd/back-perl/init.c | 177 + servers/slapd/back-perl/modify.c | 97 + servers/slapd/back-perl/modrdn.c | 63 + servers/slapd/back-perl/perl_back.h | 82 + servers/slapd/back-perl/proto-perl.h | 43 + servers/slapd/back-perl/search.c | 122 + servers/slapd/back-relay/Makefile.in | 41 + servers/slapd/back-relay/README | 83 + servers/slapd/back-relay/back-relay.h | 49 + servers/slapd/back-relay/init.c | 254 + servers/slapd/back-relay/op.c | 331 + servers/slapd/back-relay/proto-back-relay.h | 52 + servers/slapd/back-shell/Makefile.in | 43 + servers/slapd/back-shell/add.c | 84 + servers/slapd/back-shell/bind.c | 105 + servers/slapd/back-shell/compare.c | 99 + servers/slapd/back-shell/config.c | 137 + servers/slapd/back-shell/delete.c | 90 + servers/slapd/back-shell/fork.c | 118 + servers/slapd/back-shell/init.c | 111 + servers/slapd/back-shell/modify.c | 126 + servers/slapd/back-shell/modrdn.c | 96 + servers/slapd/back-shell/proto-shell.h | 56 + servers/slapd/back-shell/result.c | 135 + servers/slapd/back-shell/search.c | 86 + servers/slapd/back-shell/searchexample.conf | 29 + servers/slapd/back-shell/searchexample.sh | 65 + servers/slapd/back-shell/shell.h | 65 + servers/slapd/back-shell/unbind.c | 69 + servers/slapd/back-sock/Makefile.in | 47 + servers/slapd/back-sock/add.c | 69 + servers/slapd/back-sock/back-sock.h | 61 + servers/slapd/back-sock/bind.c | 80 + servers/slapd/back-sock/compare.c | 88 + servers/slapd/back-sock/config.c | 420 ++ servers/slapd/back-sock/delete.c | 75 + servers/slapd/back-sock/extended.c | 76 + servers/slapd/back-sock/init.c | 97 + servers/slapd/back-sock/modify.c | 117 + servers/slapd/back-sock/modrdn.c | 81 + servers/slapd/back-sock/opensock.c | 71 + servers/slapd/back-sock/proto-sock.h | 49 + servers/slapd/back-sock/result.c | 167 + servers/slapd/back-sock/search.c | 74 + servers/slapd/back-sock/searchexample.conf | 23 + servers/slapd/back-sock/searchexample.pl | 90 + servers/slapd/back-sock/unbind.c | 57 + servers/slapd/back-sql/Makefile.in | 45 + servers/slapd/back-sql/add.c | 1544 ++++ servers/slapd/back-sql/api.c | 211 + servers/slapd/back-sql/back-sql.h | 631 ++ servers/slapd/back-sql/bind.c | 116 + servers/slapd/back-sql/compare.c | 196 + servers/slapd/back-sql/config.c | 761 ++ servers/slapd/back-sql/delete.c | 637 ++ servers/slapd/back-sql/docs/bugs | 16 + servers/slapd/back-sql/docs/concept | 1 + servers/slapd/back-sql/docs/install | 86 + servers/slapd/back-sql/docs/platforms | 8 + servers/slapd/back-sql/docs/todo | 12 + servers/slapd/back-sql/entry-id.c | 1107 +++ servers/slapd/back-sql/init.c | 672 ++ servers/slapd/back-sql/modify.c | 214 + servers/slapd/back-sql/modrdn.c | 529 ++ servers/slapd/back-sql/operational.c | 250 + servers/slapd/back-sql/proto-sql.h | 313 + servers/slapd/back-sql/rdbms_depend/README | 189 + .../rdbms_depend/ibmdb2/backsql_create.sql | 59 + .../back-sql/rdbms_depend/ibmdb2/backsql_drop.sql | 5 + .../slapd/back-sql/rdbms_depend/ibmdb2/slapd.conf | 36 + .../back-sql/rdbms_depend/ibmdb2/testdb_create.sql | 75 + .../back-sql/rdbms_depend/ibmdb2/testdb_data.sql | 18 + .../back-sql/rdbms_depend/ibmdb2/testdb_drop.sql | 5 + .../rdbms_depend/ibmdb2/testdb_metadata.sql | 123 + .../back-sql/rdbms_depend/mssql/backsql_create.sql | 100 + .../back-sql/rdbms_depend/mssql/backsql_drop.sql | 14 + .../slapd/back-sql/rdbms_depend/mssql/slapd.conf | 30 + .../back-sql/rdbms_depend/mssql/testdb_create.sql | 74 + .../back-sql/rdbms_depend/mssql/testdb_data.sql | 24 + .../back-sql/rdbms_depend/mssql/testdb_drop.sql | 39 + .../rdbms_depend/mssql/testdb_metadata.sql | 198 + .../back-sql/rdbms_depend/mysql/backsql_create.sql | 58 + .../back-sql/rdbms_depend/mysql/backsql_drop.sql | 7 + .../slapd/back-sql/rdbms_depend/mysql/slapd.conf | 32 + .../back-sql/rdbms_depend/mysql/testdb_create.sql | 86 + .../back-sql/rdbms_depend/mysql/testdb_data.sql | 21 + .../back-sql/rdbms_depend/mysql/testdb_drop.sql | 5 + .../rdbms_depend/mysql/testdb_metadata.sql | 125 + .../rdbms_depend/oracle/backsql_create.sql | 90 + .../back-sql/rdbms_depend/oracle/backsql_drop.sql | 8 + .../slapd/back-sql/rdbms_depend/oracle/slapd.conf | 32 + .../back-sql/rdbms_depend/oracle/testdb_create.sql | 68 + .../back-sql/rdbms_depend/oracle/testdb_data.sql | 27 + .../back-sql/rdbms_depend/oracle/testdb_drop.sql | 25 + .../rdbms_depend/oracle/testdb_metadata.sql | 252 + .../back-sql/rdbms_depend/pgsql/backsql_create.sql | 50 + .../back-sql/rdbms_depend/pgsql/backsql_drop.sql | 4 + .../slapd/back-sql/rdbms_depend/pgsql/slapd.conf | 35 + .../back-sql/rdbms_depend/pgsql/testdb_create.sql | 55 + .../back-sql/rdbms_depend/pgsql/testdb_data.sql | 21 + .../back-sql/rdbms_depend/pgsql/testdb_drop.sql | 13 + .../rdbms_depend/pgsql/testdb_metadata.sql | 146 + .../rdbms_depend/timesten/backsql_create.sql | 66 + .../rdbms_depend/timesten/backsql_drop.sql | 9 + .../rdbms_depend/timesten/create_schema.sh | 4 + .../rdbms_depend/timesten/dnreverse/Makefile | 48 + .../rdbms_depend/timesten/dnreverse/dnreverse.cpp | 387 + .../back-sql/rdbms_depend/timesten/slapd.conf | 31 + .../rdbms_depend/timesten/testdb_create.sql | 36 + .../back-sql/rdbms_depend/timesten/testdb_data.sql | 16 + .../back-sql/rdbms_depend/timesten/testdb_drop.sql | 5 + .../rdbms_depend/timesten/testdb_metadata.sql | 108 + .../rdbms_depend/timesten/ttcreate_schema.sh | 4 + .../rdbms_depend/timesten/tttestdb_create.sql | 42 + .../rdbms_depend/timesten/tttestdb_data.sql | 20 + .../rdbms_depend/timesten/tttestdb_drop.sql | 5 + .../rdbms_depend/timesten/tttestdb_metadata.sql | 122 + servers/slapd/back-sql/schema-map.c | 1043 +++ servers/slapd/back-sql/search.c | 2792 ++++++++ servers/slapd/back-sql/sql-wrap.c | 538 ++ servers/slapd/back-sql/util.c | 574 ++ servers/slapd/backend.c | 1983 ++++++ servers/slapd/backglue.c | 1549 ++++ servers/slapd/backover.c | 1440 ++++ servers/slapd/bconfig.c | 7502 ++++++++++++++++++++ servers/slapd/bind.c | 444 ++ servers/slapd/cancel.c | 156 + servers/slapd/ch_malloc.c | 142 + servers/slapd/compare.c | 409 ++ servers/slapd/component.c | 1393 ++++ servers/slapd/component.h | 76 + servers/slapd/config.c | 2465 +++++++ servers/slapd/config.h | 227 + servers/slapd/connection.c | 2124 ++++++ servers/slapd/controls.c | 2147 ++++++ servers/slapd/cr.c | 501 ++ servers/slapd/ctxcsn.c | 216 + servers/slapd/daemon.c | 3088 ++++++++ servers/slapd/delete.c | 237 + servers/slapd/dn.c | 1330 ++++ servers/slapd/entry.c | 1025 +++ servers/slapd/extended.c | 406 ++ servers/slapd/filter.c | 1431 ++++ servers/slapd/filterentry.c | 986 +++ servers/slapd/frontend.c | 174 + servers/slapd/globals.c | 38 + servers/slapd/index.c | 91 + servers/slapd/init.c | 323 + servers/slapd/ldapsync.c | 464 ++ servers/slapd/limits.c | 1355 ++++ servers/slapd/lock.c | 83 + servers/slapd/main.c | 1142 +++ servers/slapd/matchedValues.c | 348 + servers/slapd/modify.c | 1097 +++ servers/slapd/modrdn.c | 548 ++ servers/slapd/mods.c | 487 ++ servers/slapd/module.c | 368 + servers/slapd/mr.c | 549 ++ servers/slapd/mra.c | 231 + servers/slapd/nt_svc.c | 110 + servers/slapd/oc.c | 940 +++ servers/slapd/oidm.c | 217 + servers/slapd/operation.c | 245 + servers/slapd/operational.c | 90 + servers/slapd/overlays/Makefile.in | 156 + servers/slapd/overlays/README | 5 + servers/slapd/overlays/accesslog.c | 2389 +++++++ servers/slapd/overlays/auditlog.c | 240 + servers/slapd/overlays/collect.c | 439 ++ servers/slapd/overlays/constraint.c | 1231 ++++ servers/slapd/overlays/dds.c | 2046 ++++++ servers/slapd/overlays/deref.c | 585 ++ servers/slapd/overlays/dyngroup.c | 228 + servers/slapd/overlays/dynlist.c | 1574 ++++ servers/slapd/overlays/memberof.c | 2204 ++++++ servers/slapd/overlays/overlays.c | 44 + servers/slapd/overlays/pcache.c | 5777 +++++++++++++++ servers/slapd/overlays/ppolicy.c | 2526 +++++++ servers/slapd/overlays/refint.c | 1087 +++ servers/slapd/overlays/retcode.c | 1571 ++++ servers/slapd/overlays/rwm.c | 2759 +++++++ servers/slapd/overlays/rwm.h | 187 + servers/slapd/overlays/rwmconf.c | 417 ++ servers/slapd/overlays/rwmdn.c | 215 + servers/slapd/overlays/rwmmap.c | 1347 ++++ servers/slapd/overlays/seqmod.c | 206 + servers/slapd/overlays/slapover.txt | 158 + servers/slapd/overlays/sssvlv.c | 1434 ++++ servers/slapd/overlays/syncprov.c | 3523 +++++++++ servers/slapd/overlays/translucent.c | 1416 ++++ servers/slapd/overlays/unique.c | 1464 ++++ servers/slapd/overlays/valsort.c | 580 ++ servers/slapd/passwd.c | 626 ++ servers/slapd/phonetic.c | 459 ++ servers/slapd/proto-slap.h | 2195 ++++++ servers/slapd/referral.c | 363 + servers/slapd/result.c | 1859 +++++ servers/slapd/root_dse.c | 545 ++ servers/slapd/sasl.c | 1906 +++++ servers/slapd/saslauthz.c | 2101 ++++++ servers/slapd/schema.c | 167 + servers/slapd/schema/README | 80 + servers/slapd/schema/collective.ldif | 48 + servers/slapd/schema/corba.ldif | 42 + servers/slapd/schema/cosine.ldif | 200 + servers/slapd/schema/duaconf.ldif | 83 + servers/slapd/schema/dyngroup.ldif | 71 + servers/slapd/schema/dyngroup.schema | 91 + servers/slapd/schema/inetorgperson.ldif | 69 + servers/slapd/schema/java.ldif | 59 + servers/slapd/schema/misc.ldif | 45 + servers/slapd/schema/misc.schema | 75 + servers/slapd/schema/nis.ldif | 120 + servers/slapd/schema/nis.schema | 237 + servers/slapd/schema/openldap.ldif | 88 + servers/slapd/schema/openldap.schema | 54 + servers/slapd/schema/pmi.ldif | 123 + servers/slapd/schema/ppolicy.ldif | 87 + servers/slapd/schema_check.c | 938 +++ servers/slapd/schema_init.c | 6873 ++++++++++++++++++ servers/slapd/schema_prep.c | 1614 +++++ servers/slapd/schemaparse.c | 400 ++ servers/slapd/search.c | 415 ++ servers/slapd/sets.c | 832 +++ servers/slapd/sets.h | 75 + servers/slapd/shell-backends/Makefile.in | 40 + servers/slapd/shell-backends/passwd-shell.c | 207 + servers/slapd/shell-backends/shellutil.c | 396 ++ servers/slapd/shell-backends/shellutil.h | 123 + servers/slapd/sl_malloc.c | 730 ++ servers/slapd/slap.h | 3345 +++++++++ servers/slapd/slapacl.c | 411 ++ servers/slapd/slapadd.c | 531 ++ servers/slapd/slapauth.c | 177 + servers/slapd/slapcat.c | 175 + servers/slapd/slapcommon.c | 1228 ++++ servers/slapd/slapcommon.h | 138 + servers/slapd/slapd.conf | 65 + servers/slapd/slapd.ldif | 95 + servers/slapd/slapdn.c | 107 + servers/slapd/slapi/Makefile.in | 51 + servers/slapd/slapi/TODO | 16 + servers/slapd/slapi/plugin.c | 747 ++ servers/slapd/slapi/printmsg.c | 100 + servers/slapd/slapi/proto-slapi.h | 91 + servers/slapd/slapi/slapi.h | 204 + servers/slapd/slapi/slapi_dn.c | 669 ++ servers/slapd/slapi/slapi_ext.c | 349 + servers/slapd/slapi/slapi_ops.c | 956 +++ servers/slapd/slapi/slapi_overlay.c | 952 +++ servers/slapd/slapi/slapi_pblock.c | 1426 ++++ servers/slapd/slapi/slapi_utils.c | 3473 +++++++++ servers/slapd/slapindex.c | 110 + servers/slapd/slappasswd.c | 284 + servers/slapd/slapschema.c | 165 + servers/slapd/slaptest.c | 120 + servers/slapd/starttls.c | 112 + servers/slapd/str2filter.c | 84 + servers/slapd/syncrepl.c | 5778 +++++++++++++++ servers/slapd/syntax.c | 457 ++ servers/slapd/txn.c | 217 + servers/slapd/unbind.c | 62 + servers/slapd/user.c | 176 + servers/slapd/value.c | 798 +++ servers/slapd/zn_malloc.c | 972 +++ 444 files changed, 236394 insertions(+) create mode 100644 servers/Makefile.in create mode 100644 servers/slapd/DB_CONFIG create mode 100644 servers/slapd/Makefile.in create mode 100644 servers/slapd/abandon.c create mode 100644 servers/slapd/aci.c create mode 100644 servers/slapd/acl.c create mode 100644 servers/slapd/aclparse.c create mode 100644 servers/slapd/ad.c create mode 100644 servers/slapd/add.c create mode 100644 servers/slapd/alock.c create mode 100644 servers/slapd/alock.h create mode 100644 servers/slapd/at.c create mode 100644 servers/slapd/attr.c create mode 100644 servers/slapd/ava.c create mode 100644 servers/slapd/back-bdb/Makefile.in create mode 100644 servers/slapd/back-bdb/add.c create mode 100644 servers/slapd/back-bdb/attr.c create mode 100644 servers/slapd/back-bdb/back-bdb.h create mode 100644 servers/slapd/back-bdb/bind.c create mode 100644 servers/slapd/back-bdb/cache.c create mode 100644 servers/slapd/back-bdb/compare.c create mode 100644 servers/slapd/back-bdb/config.c create mode 100644 servers/slapd/back-bdb/dbcache.c create mode 100644 servers/slapd/back-bdb/delete.c create mode 100644 servers/slapd/back-bdb/dn2entry.c create mode 100644 servers/slapd/back-bdb/dn2id.c create mode 100644 servers/slapd/back-bdb/error.c create mode 100644 servers/slapd/back-bdb/extended.c create mode 100644 servers/slapd/back-bdb/filterindex.c create mode 100644 servers/slapd/back-bdb/id2entry.c create mode 100644 servers/slapd/back-bdb/idl.c create mode 100644 servers/slapd/back-bdb/idl.h create mode 100644 servers/slapd/back-bdb/index.c create mode 100644 servers/slapd/back-bdb/init.c create mode 100644 servers/slapd/back-bdb/key.c create mode 100644 servers/slapd/back-bdb/modify.c create mode 100644 servers/slapd/back-bdb/modrdn.c create mode 100644 servers/slapd/back-bdb/monitor.c create mode 100644 servers/slapd/back-bdb/nextid.c create mode 100644 servers/slapd/back-bdb/operational.c create mode 100644 servers/slapd/back-bdb/proto-bdb.h create mode 100644 servers/slapd/back-bdb/referral.c create mode 100644 servers/slapd/back-bdb/search.c create mode 100644 servers/slapd/back-bdb/tools.c create mode 100644 servers/slapd/back-bdb/trans.c create mode 100644 servers/slapd/back-dnssrv/Makefile.in create mode 100644 servers/slapd/back-dnssrv/bind.c create mode 100644 servers/slapd/back-dnssrv/compare.c create mode 100644 servers/slapd/back-dnssrv/config.c create mode 100644 servers/slapd/back-dnssrv/init.c create mode 100644 servers/slapd/back-dnssrv/proto-dnssrv.h create mode 100644 servers/slapd/back-dnssrv/referral.c create mode 100644 servers/slapd/back-dnssrv/search.c create mode 100644 servers/slapd/back-hdb/Makefile.in create mode 100644 servers/slapd/back-hdb/back-bdb.h create mode 100644 servers/slapd/back-ldap/Makefile.in create mode 100644 servers/slapd/back-ldap/TODO.proxy create mode 100644 servers/slapd/back-ldap/add.c create mode 100644 servers/slapd/back-ldap/back-ldap.h create mode 100644 servers/slapd/back-ldap/bind.c create mode 100644 servers/slapd/back-ldap/chain.c create mode 100644 servers/slapd/back-ldap/compare.c create mode 100644 servers/slapd/back-ldap/config.c create mode 100644 servers/slapd/back-ldap/delete.c create mode 100644 servers/slapd/back-ldap/distproc.c create mode 100644 servers/slapd/back-ldap/extended.c create mode 100644 servers/slapd/back-ldap/init.c create mode 100644 servers/slapd/back-ldap/modify.c create mode 100644 servers/slapd/back-ldap/modrdn.c create mode 100644 servers/slapd/back-ldap/monitor.c create mode 100644 servers/slapd/back-ldap/pbind.c create mode 100644 servers/slapd/back-ldap/proto-ldap.h create mode 100644 servers/slapd/back-ldap/search.c create mode 100644 servers/slapd/back-ldap/unbind.c create mode 100644 servers/slapd/back-ldif/Makefile.in create mode 100644 servers/slapd/back-ldif/ldif.c create mode 100644 servers/slapd/back-mdb/Makefile.in create mode 100644 servers/slapd/back-mdb/add.c create mode 100644 servers/slapd/back-mdb/attr.c create mode 100644 servers/slapd/back-mdb/back-mdb.h create mode 100644 servers/slapd/back-mdb/bind.c create mode 100644 servers/slapd/back-mdb/compare.c create mode 100644 servers/slapd/back-mdb/config.c create mode 100644 servers/slapd/back-mdb/delete.c create mode 100644 servers/slapd/back-mdb/dn2entry.c create mode 100644 servers/slapd/back-mdb/dn2id.c create mode 100644 servers/slapd/back-mdb/extended.c create mode 100644 servers/slapd/back-mdb/filterindex.c create mode 100644 servers/slapd/back-mdb/id2entry.c create mode 100644 servers/slapd/back-mdb/idl.c create mode 100644 servers/slapd/back-mdb/idl.h create mode 100644 servers/slapd/back-mdb/index.c create mode 100644 servers/slapd/back-mdb/init.c create mode 100644 servers/slapd/back-mdb/key.c create mode 100644 servers/slapd/back-mdb/modify.c create mode 100644 servers/slapd/back-mdb/modrdn.c create mode 100644 servers/slapd/back-mdb/monitor.c create mode 100644 servers/slapd/back-mdb/nextid.c create mode 100644 servers/slapd/back-mdb/operational.c create mode 100644 servers/slapd/back-mdb/proto-mdb.h create mode 100644 servers/slapd/back-mdb/referral.c create mode 100644 servers/slapd/back-mdb/search.c create mode 100644 servers/slapd/back-mdb/tools.c create mode 100644 servers/slapd/back-meta/Makefile.in create mode 100644 servers/slapd/back-meta/add.c create mode 100644 servers/slapd/back-meta/back-meta.h create mode 100644 servers/slapd/back-meta/bind.c create mode 100644 servers/slapd/back-meta/candidates.c create mode 100644 servers/slapd/back-meta/compare.c create mode 100644 servers/slapd/back-meta/config.c create mode 100644 servers/slapd/back-meta/conn.c create mode 100644 servers/slapd/back-meta/delete.c create mode 100644 servers/slapd/back-meta/dncache.c create mode 100644 servers/slapd/back-meta/init.c create mode 100644 servers/slapd/back-meta/map.c create mode 100644 servers/slapd/back-meta/modify.c create mode 100644 servers/slapd/back-meta/modrdn.c create mode 100644 servers/slapd/back-meta/proto-meta.h create mode 100644 servers/slapd/back-meta/search.c create mode 100644 servers/slapd/back-meta/suffixmassage.c create mode 100644 servers/slapd/back-meta/unbind.c create mode 100644 servers/slapd/back-monitor/Makefile.in create mode 100644 servers/slapd/back-monitor/README create mode 100644 servers/slapd/back-monitor/back-monitor.h create mode 100644 servers/slapd/back-monitor/backend.c create mode 100644 servers/slapd/back-monitor/bind.c create mode 100644 servers/slapd/back-monitor/cache.c create mode 100644 servers/slapd/back-monitor/compare.c create mode 100644 servers/slapd/back-monitor/conn.c create mode 100644 servers/slapd/back-monitor/database.c create mode 100644 servers/slapd/back-monitor/entry.c create mode 100644 servers/slapd/back-monitor/init.c create mode 100644 servers/slapd/back-monitor/listener.c create mode 100644 servers/slapd/back-monitor/log.c create mode 100644 servers/slapd/back-monitor/modify.c create mode 100644 servers/slapd/back-monitor/operation.c create mode 100644 servers/slapd/back-monitor/operational.c create mode 100644 servers/slapd/back-monitor/overlay.c create mode 100644 servers/slapd/back-monitor/proto-back-monitor.h create mode 100644 servers/slapd/back-monitor/rww.c create mode 100644 servers/slapd/back-monitor/search.c create mode 100644 servers/slapd/back-monitor/sent.c create mode 100644 servers/slapd/back-monitor/thread.c create mode 100644 servers/slapd/back-monitor/time.c create mode 100644 servers/slapd/back-ndb/Makefile.in create mode 100644 servers/slapd/back-ndb/TODO create mode 100644 servers/slapd/back-ndb/add.cpp create mode 100644 servers/slapd/back-ndb/attrsets.conf create mode 100644 servers/slapd/back-ndb/back-ndb.h create mode 100644 servers/slapd/back-ndb/bind.cpp create mode 100644 servers/slapd/back-ndb/compare.cpp create mode 100644 servers/slapd/back-ndb/config.cpp create mode 100644 servers/slapd/back-ndb/delete.cpp create mode 100644 servers/slapd/back-ndb/init.cpp create mode 100644 servers/slapd/back-ndb/modify.cpp create mode 100644 servers/slapd/back-ndb/modrdn.cpp create mode 100644 servers/slapd/back-ndb/ndbio.cpp create mode 100644 servers/slapd/back-ndb/proto-ndb.h create mode 100644 servers/slapd/back-ndb/search.cpp create mode 100644 servers/slapd/back-ndb/tools.cpp create mode 100644 servers/slapd/back-null/Makefile.in create mode 100644 servers/slapd/back-null/README create mode 100644 servers/slapd/back-null/null.c create mode 100644 servers/slapd/back-passwd/Makefile.in create mode 100644 servers/slapd/back-passwd/back-passwd.h create mode 100644 servers/slapd/back-passwd/config.c create mode 100644 servers/slapd/back-passwd/init.c create mode 100644 servers/slapd/back-passwd/proto-passwd.h create mode 100644 servers/slapd/back-passwd/search.c create mode 100644 servers/slapd/back-perl/Makefile.in create mode 100644 servers/slapd/back-perl/README create mode 100644 servers/slapd/back-perl/SampleLDAP.pm create mode 100644 servers/slapd/back-perl/add.c create mode 100644 servers/slapd/back-perl/asperl_undefs.h create mode 100644 servers/slapd/back-perl/bind.c create mode 100644 servers/slapd/back-perl/close.c create mode 100644 servers/slapd/back-perl/compare.c create mode 100644 servers/slapd/back-perl/config.c create mode 100644 servers/slapd/back-perl/delete.c create mode 100644 servers/slapd/back-perl/init.c create mode 100644 servers/slapd/back-perl/modify.c create mode 100644 servers/slapd/back-perl/modrdn.c create mode 100644 servers/slapd/back-perl/perl_back.h create mode 100644 servers/slapd/back-perl/proto-perl.h create mode 100644 servers/slapd/back-perl/search.c create mode 100644 servers/slapd/back-relay/Makefile.in create mode 100644 servers/slapd/back-relay/README create mode 100644 servers/slapd/back-relay/back-relay.h create mode 100644 servers/slapd/back-relay/init.c create mode 100644 servers/slapd/back-relay/op.c create mode 100644 servers/slapd/back-relay/proto-back-relay.h create mode 100644 servers/slapd/back-shell/Makefile.in create mode 100644 servers/slapd/back-shell/add.c create mode 100644 servers/slapd/back-shell/bind.c create mode 100644 servers/slapd/back-shell/compare.c create mode 100644 servers/slapd/back-shell/config.c create mode 100644 servers/slapd/back-shell/delete.c create mode 100644 servers/slapd/back-shell/fork.c create mode 100644 servers/slapd/back-shell/init.c create mode 100644 servers/slapd/back-shell/modify.c create mode 100644 servers/slapd/back-shell/modrdn.c create mode 100644 servers/slapd/back-shell/proto-shell.h create mode 100644 servers/slapd/back-shell/result.c create mode 100644 servers/slapd/back-shell/search.c create mode 100644 servers/slapd/back-shell/searchexample.conf create mode 100644 servers/slapd/back-shell/searchexample.sh create mode 100644 servers/slapd/back-shell/shell.h create mode 100644 servers/slapd/back-shell/unbind.c create mode 100644 servers/slapd/back-sock/Makefile.in create mode 100644 servers/slapd/back-sock/add.c create mode 100644 servers/slapd/back-sock/back-sock.h create mode 100644 servers/slapd/back-sock/bind.c create mode 100644 servers/slapd/back-sock/compare.c create mode 100644 servers/slapd/back-sock/config.c create mode 100644 servers/slapd/back-sock/delete.c create mode 100644 servers/slapd/back-sock/extended.c create mode 100644 servers/slapd/back-sock/init.c create mode 100644 servers/slapd/back-sock/modify.c create mode 100644 servers/slapd/back-sock/modrdn.c create mode 100644 servers/slapd/back-sock/opensock.c create mode 100644 servers/slapd/back-sock/proto-sock.h create mode 100644 servers/slapd/back-sock/result.c create mode 100644 servers/slapd/back-sock/search.c create mode 100644 servers/slapd/back-sock/searchexample.conf create mode 100644 servers/slapd/back-sock/searchexample.pl create mode 100644 servers/slapd/back-sock/unbind.c create mode 100644 servers/slapd/back-sql/Makefile.in create mode 100644 servers/slapd/back-sql/add.c create mode 100644 servers/slapd/back-sql/api.c create mode 100644 servers/slapd/back-sql/back-sql.h create mode 100644 servers/slapd/back-sql/bind.c create mode 100644 servers/slapd/back-sql/compare.c create mode 100644 servers/slapd/back-sql/config.c create mode 100644 servers/slapd/back-sql/delete.c create mode 100644 servers/slapd/back-sql/docs/bugs create mode 100644 servers/slapd/back-sql/docs/concept create mode 100644 servers/slapd/back-sql/docs/install create mode 100644 servers/slapd/back-sql/docs/platforms create mode 100644 servers/slapd/back-sql/docs/todo create mode 100644 servers/slapd/back-sql/entry-id.c create mode 100644 servers/slapd/back-sql/init.c create mode 100644 servers/slapd/back-sql/modify.c create mode 100644 servers/slapd/back-sql/modrdn.c create mode 100644 servers/slapd/back-sql/operational.c create mode 100644 servers/slapd/back-sql/proto-sql.h create mode 100644 servers/slapd/back-sql/rdbms_depend/README create mode 100644 servers/slapd/back-sql/rdbms_depend/ibmdb2/backsql_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/ibmdb2/backsql_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/ibmdb2/slapd.conf create mode 100644 servers/slapd/back-sql/rdbms_depend/ibmdb2/testdb_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/ibmdb2/testdb_data.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/ibmdb2/testdb_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/ibmdb2/testdb_metadata.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mssql/backsql_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mssql/backsql_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mssql/slapd.conf create mode 100644 servers/slapd/back-sql/rdbms_depend/mssql/testdb_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mssql/testdb_data.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mssql/testdb_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mssql/testdb_metadata.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mysql/backsql_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mysql/backsql_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mysql/slapd.conf create mode 100644 servers/slapd/back-sql/rdbms_depend/mysql/testdb_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mysql/testdb_data.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mysql/testdb_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/mysql/testdb_metadata.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/oracle/backsql_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/oracle/backsql_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/oracle/slapd.conf create mode 100644 servers/slapd/back-sql/rdbms_depend/oracle/testdb_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/oracle/testdb_data.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/oracle/testdb_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/oracle/testdb_metadata.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/pgsql/backsql_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/pgsql/backsql_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/pgsql/slapd.conf create mode 100644 servers/slapd/back-sql/rdbms_depend/pgsql/testdb_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/pgsql/testdb_data.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/pgsql/testdb_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/pgsql/testdb_metadata.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/backsql_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/backsql_drop.sql create mode 100755 servers/slapd/back-sql/rdbms_depend/timesten/create_schema.sh create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/slapd.conf create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/testdb_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/testdb_data.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/testdb_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/testdb_metadata.sql create mode 100755 servers/slapd/back-sql/rdbms_depend/timesten/ttcreate_schema.sh create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/tttestdb_create.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/tttestdb_data.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/tttestdb_drop.sql create mode 100644 servers/slapd/back-sql/rdbms_depend/timesten/tttestdb_metadata.sql create mode 100644 servers/slapd/back-sql/schema-map.c create mode 100644 servers/slapd/back-sql/search.c create mode 100644 servers/slapd/back-sql/sql-wrap.c create mode 100644 servers/slapd/back-sql/util.c create mode 100644 servers/slapd/backend.c create mode 100644 servers/slapd/backglue.c create mode 100644 servers/slapd/backover.c create mode 100644 servers/slapd/bconfig.c create mode 100644 servers/slapd/bind.c create mode 100644 servers/slapd/cancel.c create mode 100644 servers/slapd/ch_malloc.c create mode 100644 servers/slapd/compare.c create mode 100644 servers/slapd/component.c create mode 100644 servers/slapd/component.h create mode 100644 servers/slapd/config.c create mode 100644 servers/slapd/config.h create mode 100644 servers/slapd/connection.c create mode 100644 servers/slapd/controls.c create mode 100644 servers/slapd/cr.c create mode 100644 servers/slapd/ctxcsn.c create mode 100644 servers/slapd/daemon.c create mode 100644 servers/slapd/delete.c create mode 100644 servers/slapd/dn.c create mode 100644 servers/slapd/entry.c create mode 100644 servers/slapd/extended.c create mode 100644 servers/slapd/filter.c create mode 100644 servers/slapd/filterentry.c create mode 100644 servers/slapd/frontend.c create mode 100644 servers/slapd/globals.c create mode 100644 servers/slapd/index.c create mode 100644 servers/slapd/init.c create mode 100644 servers/slapd/ldapsync.c create mode 100644 servers/slapd/limits.c create mode 100644 servers/slapd/lock.c create mode 100644 servers/slapd/main.c create mode 100644 servers/slapd/matchedValues.c create mode 100644 servers/slapd/modify.c create mode 100644 servers/slapd/modrdn.c create mode 100644 servers/slapd/mods.c create mode 100644 servers/slapd/module.c create mode 100644 servers/slapd/mr.c create mode 100644 servers/slapd/mra.c create mode 100644 servers/slapd/nt_svc.c create mode 100644 servers/slapd/oc.c create mode 100644 servers/slapd/oidm.c create mode 100644 servers/slapd/operation.c create mode 100644 servers/slapd/operational.c create mode 100644 servers/slapd/overlays/Makefile.in create mode 100644 servers/slapd/overlays/README create mode 100644 servers/slapd/overlays/accesslog.c create mode 100644 servers/slapd/overlays/auditlog.c create mode 100644 servers/slapd/overlays/collect.c create mode 100644 servers/slapd/overlays/constraint.c create mode 100644 servers/slapd/overlays/dds.c create mode 100644 servers/slapd/overlays/deref.c create mode 100644 servers/slapd/overlays/dyngroup.c create mode 100644 servers/slapd/overlays/dynlist.c create mode 100644 servers/slapd/overlays/memberof.c create mode 100644 servers/slapd/overlays/overlays.c create mode 100644 servers/slapd/overlays/pcache.c create mode 100644 servers/slapd/overlays/ppolicy.c create mode 100644 servers/slapd/overlays/refint.c create mode 100644 servers/slapd/overlays/retcode.c create mode 100644 servers/slapd/overlays/rwm.c create mode 100644 servers/slapd/overlays/rwm.h create mode 100644 servers/slapd/overlays/rwmconf.c create mode 100644 servers/slapd/overlays/rwmdn.c create mode 100644 servers/slapd/overlays/rwmmap.c create mode 100644 servers/slapd/overlays/seqmod.c create mode 100644 servers/slapd/overlays/slapover.txt create mode 100644 servers/slapd/overlays/sssvlv.c create mode 100644 servers/slapd/overlays/syncprov.c create mode 100644 servers/slapd/overlays/translucent.c create mode 100644 servers/slapd/overlays/unique.c create mode 100644 servers/slapd/overlays/valsort.c create mode 100644 servers/slapd/passwd.c create mode 100644 servers/slapd/phonetic.c create mode 100644 servers/slapd/proto-slap.h create mode 100644 servers/slapd/referral.c create mode 100644 servers/slapd/result.c create mode 100644 servers/slapd/root_dse.c create mode 100644 servers/slapd/sasl.c create mode 100644 servers/slapd/saslauthz.c create mode 100644 servers/slapd/schema.c create mode 100644 servers/slapd/schema/README create mode 100644 servers/slapd/schema/collective.ldif create mode 100644 servers/slapd/schema/corba.ldif create mode 100644 servers/slapd/schema/cosine.ldif create mode 100644 servers/slapd/schema/duaconf.ldif create mode 100644 servers/slapd/schema/dyngroup.ldif create mode 100644 servers/slapd/schema/dyngroup.schema create mode 100644 servers/slapd/schema/inetorgperson.ldif create mode 100644 servers/slapd/schema/java.ldif create mode 100644 servers/slapd/schema/misc.ldif create mode 100644 servers/slapd/schema/misc.schema create mode 100644 servers/slapd/schema/nis.ldif create mode 100644 servers/slapd/schema/nis.schema create mode 100644 servers/slapd/schema/openldap.ldif create mode 100644 servers/slapd/schema/openldap.schema create mode 100644 servers/slapd/schema/pmi.ldif create mode 100644 servers/slapd/schema/ppolicy.ldif create mode 100644 servers/slapd/schema_check.c create mode 100644 servers/slapd/schema_init.c create mode 100644 servers/slapd/schema_prep.c create mode 100644 servers/slapd/schemaparse.c create mode 100644 servers/slapd/search.c create mode 100644 servers/slapd/sets.c create mode 100644 servers/slapd/sets.h create mode 100644 servers/slapd/shell-backends/Makefile.in create mode 100644 servers/slapd/shell-backends/passwd-shell.c create mode 100644 servers/slapd/shell-backends/shellutil.c create mode 100644 servers/slapd/shell-backends/shellutil.h create mode 100644 servers/slapd/sl_malloc.c create mode 100644 servers/slapd/slap.h create mode 100644 servers/slapd/slapacl.c create mode 100644 servers/slapd/slapadd.c create mode 100644 servers/slapd/slapauth.c create mode 100644 servers/slapd/slapcat.c create mode 100644 servers/slapd/slapcommon.c create mode 100644 servers/slapd/slapcommon.h create mode 100644 servers/slapd/slapd.conf create mode 100644 servers/slapd/slapd.ldif create mode 100644 servers/slapd/slapdn.c create mode 100644 servers/slapd/slapi/Makefile.in create mode 100644 servers/slapd/slapi/TODO create mode 100644 servers/slapd/slapi/plugin.c create mode 100644 servers/slapd/slapi/printmsg.c create mode 100644 servers/slapd/slapi/proto-slapi.h create mode 100644 servers/slapd/slapi/slapi.h create mode 100644 servers/slapd/slapi/slapi_dn.c create mode 100644 servers/slapd/slapi/slapi_ext.c create mode 100644 servers/slapd/slapi/slapi_ops.c create mode 100644 servers/slapd/slapi/slapi_overlay.c create mode 100644 servers/slapd/slapi/slapi_pblock.c create mode 100644 servers/slapd/slapi/slapi_utils.c create mode 100644 servers/slapd/slapindex.c create mode 100644 servers/slapd/slappasswd.c create mode 100644 servers/slapd/slapschema.c create mode 100644 servers/slapd/slaptest.c create mode 100644 servers/slapd/starttls.c create mode 100644 servers/slapd/str2filter.c create mode 100644 servers/slapd/syncrepl.c create mode 100644 servers/slapd/syntax.c create mode 100644 servers/slapd/txn.c create mode 100644 servers/slapd/unbind.c create mode 100644 servers/slapd/user.c create mode 100644 servers/slapd/value.c create mode 100644 servers/slapd/zn_malloc.c (limited to 'servers') diff --git a/servers/Makefile.in b/servers/Makefile.in new file mode 100644 index 0000000..12e0eb6 --- /dev/null +++ b/servers/Makefile.in @@ -0,0 +1,17 @@ +# servers Makefile.in for OpenLDAP +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2018 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +SUBDIRS= slapd + diff --git a/servers/slapd/DB_CONFIG b/servers/slapd/DB_CONFIG new file mode 100644 index 0000000..d0f2c68 --- /dev/null +++ b/servers/slapd/DB_CONFIG @@ -0,0 +1,28 @@ +# $OpenLDAP$ +# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. +# +# See the Oracle Berkeley DB documentation +# +# for detail description of DB_CONFIG syntax and semantics. +# +# Hints can also be found in the OpenLDAP Software FAQ +# +# in particular: +# + +# Note: most DB_CONFIG settings will take effect only upon rebuilding +# the DB environment. + +# one 0.25 GB cache +set_cachesize 0 268435456 1 + +# Data Directory +#set_data_dir db + +# Transaction Log settings +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir logs + +# Note: special DB_CONFIG flags are no longer needed for "quick" +# slapadd(8) or slapindex(8) access (see their -q option). diff --git a/servers/slapd/Makefile.in b/servers/slapd/Makefile.in new file mode 100644 index 0000000..36d51e2 --- /dev/null +++ b/servers/slapd/Makefile.in @@ -0,0 +1,460 @@ +## Makefile.in for slapd +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2018 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +SLAPTOOLS=slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl slapschema +PROGRAMS=slapd $(SLAPTOOLS) +XPROGRAMS=sslapd libbackends.a .backend liboverlays.a +XSRCS=version.c + +SUBDIRS=back-* shell-backends slapi overlays + +NT_SRCS = nt_svc.c +NT_OBJS = nt_svc.o ../../libraries/liblutil/slapdmsg.res + +SRCS = main.c globals.c bconfig.c config.c daemon.c \ + connection.c search.c filter.c add.c cr.c \ + attr.c entry.c backend.c result.c operation.c \ + dn.c compare.c modify.c delete.c modrdn.c ch_malloc.c \ + value.c ava.c bind.c unbind.c abandon.c filterentry.c \ + phonetic.c acl.c str2filter.c aclparse.c init.c user.c \ + lock.c controls.c extended.c passwd.c \ + schema.c schema_check.c schema_init.c schema_prep.c \ + schemaparse.c ad.c at.c mr.c syntax.c oc.c saslauthz.c \ + oidm.c starttls.c index.c sets.c referral.c root_dse.c \ + sasl.c module.c mra.c mods.c sl_malloc.c zn_malloc.c limits.c \ + operational.c matchedValues.c cancel.c syncrepl.c \ + backglue.c backover.c ctxcsn.c ldapsync.c frontend.c \ + slapadd.c slapcat.c slapcommon.c slapdn.c slapindex.c \ + slappasswd.c slaptest.c slapauth.c slapacl.c component.c \ + aci.c alock.c txn.c slapschema.c \ + $(@PLAT@_SRCS) + +OBJS = main.o globals.o bconfig.o config.o daemon.o \ + connection.o search.o filter.o add.o cr.o \ + attr.o entry.o backend.o backends.o result.o operation.o \ + dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o \ + value.o ava.o bind.o unbind.o abandon.o filterentry.o \ + phonetic.o acl.o str2filter.o aclparse.o init.o user.o \ + lock.o controls.o extended.o passwd.o \ + schema.o schema_check.o schema_init.o schema_prep.o \ + schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o \ + oidm.o starttls.o index.o sets.o referral.o root_dse.o \ + sasl.o module.o mra.o mods.o sl_malloc.o zn_malloc.o limits.o \ + operational.o matchedValues.o cancel.o syncrepl.o \ + backglue.o backover.o ctxcsn.o ldapsync.o frontend.o \ + slapadd.o slapcat.o slapcommon.o slapdn.o slapindex.o \ + slappasswd.o slaptest.o slapauth.o slapacl.o component.o \ + aci.o alock.o txn.o slapschema.o \ + $(@PLAT@_OBJS) + +LDAP_INCDIR= ../../include -I$(srcdir) -I$(srcdir)/slapi -I. +LDAP_LIBDIR= ../../libraries + +SLAP_DIR= +SLAPD_STATIC_DEPENDS=@SLAPD_NO_STATIC@ libbackends.a liboverlays.a +SLAPD_STATIC_BACKENDS=@SLAPD_STATIC_BACKENDS@ +SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BACKENDS@ + +SLAPI_LIBS=@LIBSLAPI@ @SLAPI_LIBS@ + +XDEFS = $(MODULES_CPPFLAGS) +XLDFLAGS = $(MODULES_LDFLAGS) + +XLIBS = $(SLAPD_STATIC_DEPENDS) $(SLAPD_L) $(MODULES_LIBS) +XXLIBS = $(SLAPD_LIBS) $(SECURITY_LIBS) $(LUTIL_LIBS) +XXXLIBS = $(LTHREAD_LIBS) $(SLAPI_LIBS) + +BUILD_OPT = "--enable-slapd" +BUILD_SRV = @BUILD_SLAPD@ + +all-local-srv: all-cffiles + +NT_SLAPD_DEPENDS = slapd.exp +NT_SLAPD_OBJECTS = slapd.exp symdummy.o $(OBJS) version.o + +UNIX_SLAPD_DEPENDS = $(SLAPD_STATIC_DEPENDS) version.o $(SLAPD_L) +UNIX_SLAPD_OBJECTS = $(OBJS) version.o + +SLAPD_DEPENDS = $(@PLAT@_SLAPD_DEPENDS) +SLAPD_OBJECTS = $(@PLAT@_SLAPD_OBJECTS) + +# Notes about slapd for Windows +# ============================= +# slapd.exe must export all of its global symbols, just like a DLL. +# The purpose of this is to allow dynamic modules (dynamic backends +# or external dynamic modules) to bind with the symbols at run-time. +# +# Exporting symbols from an .EXE is a bit tricky and involves multiple +# steps. First a .DEF file must be generated. The .DEF file indicates +# the set of symbols that are to be exported. Many times, it's possible +# to manually create this file with an editor. However, with slapd, +# we want to export EVERY global symbol that it knows about (NOT including +# symbols that are imported from other DLLs). The set of symbols to +# export INCLUDES symbols from all static libraries that slapd gets +# linked with, e.g. avl, lunicode, lutil, etc. This list +# will also include liblber and libldap_r if they were built as static +# libraries. ALSO included will be symbols from other STATIC libraries +# outside the domain of the OpenLDAP source tree, e.g. regex, ltdl, +# crypto, ssl, sasl, etc. (If these libraries are dynamic, we won't want +# to include their symbols in the list). The correct set of symbols +# CAN be determined at build time. The slapd.def target automatically +# determines the correct set of symbols and generates the slapd.def file. +# +# The slapd.def file, serving multiple purposes, will: +# +# 1) be used to generate libslapd.a, the import library for slapd.exe. +# +# 2) be used to generate the symdummy.c file. +# +# 3) be used to help create slapd.exp, the binary-formated slapd export file. +# +# The import library is used by dynamic modules at link time. With this +# library, dynamic modules indicate to the linker that it will resolve +# these symbols from the slapd.exe binary at run-time. Of course, whenever +# a module imports dynamic symbols, those symbols should be marked with +# the __declspec(dllimport) directive in the header files that the dynamic +# modules build with. In OpenLDAP, this is handled automatically in the +# header files. (See ldap_cdefs.h for an explanation). Writers of +# dynamic backend modules should keep in mind that slapd.exe might export +# other global symbols that are not part of OpenLDAP (e.g. regex, ltdl, +# crypto, ssl, sasl, etc.) When a writer actually uses (i.e. imports) these +# symbols, he must verify that the header files from these external packages +# include a mechanism to mark imported symbols with the __declspec(dllimport) +# directive. Whether or not such a mechanism exists, the writer must be +# able to include these directives appropriately when their symbols are +# being imported from slapd.exe. The directive is not completely necessary +# for functions, but it is required for variables. +# +# The symdummy.c file basically references EVERY symbol available to slapd.exe, +# including symbols that slapd.exe never actually referenced. The file +# is compiled and included at link time. Without this object file, slapd.exe +# would NOT export symbols that it never referenced. The reason that these +# symbols must still be exported is because a dynamic module may want to +# use a symbol even if it had not been referenced by slapd.exe. +# + +# +# slapd.def REALLY depends upon all slapd objects and all static libraries +# included in $(LIBS), including static libraries outside of OpenLDAP. +# When slapd.def is built, the absolute paths to all static libraries +# (both inside and outside of OpenLDAP) are generated. We don't have +# any way to include this generated list as a dependency of slapd.def (sigh). +# Thus, we do the best we can by depending on version.o, which depends +# on its own very long list of dependencies. +# +slapd.def: libbackends.a liboverlays.a version.o + @for i in XX $(LDFLAGS) ; do \ + path=`expr "$$i" : "-L\(.*\)"`; \ + if test $$? != 0; then continue; fi; \ + paths="$$paths $$path"; \ + done; \ + objs=""; \ + for i in $(OBJS) version.o $(LIBS) ; do \ + obj="" ; \ + case $$i in \ + -l*) \ + done="" ;\ + base=`expr "$$i" : "-l\(.*\)"`; \ + for p in . $$paths ; do \ + for ext in la dll dll.a a ; do \ + path=$$p/lib$$base.$$ext; \ + test ! -f $$path && continue; \ + if test $$ext = la ; then \ + for t in dlname old_library ; do \ + line=`grep "^$$t=" $$path`; \ + lib=`expr "$$line" : "[^']*'\(.*\)'"`; \ + test -n "$$lib" && test -f $$p/$$lib && \ + path=$$p/$$lib && break; \ + done; \ + test $$t = dlname && ext=dll; \ + test $$t = old_library && ext=a; \ + fi; \ + if test $$ext = a ; then \ + obj=$$path; \ + fi; \ + done=done; \ + break; \ + done; \ + test -n "$$done" && break; \ + done; \ + test -z "$$obj" && continue; \ + ;; \ + *.la) \ + if test -n "$(LTSTATIC)"; then \ + base=`expr "$$i" : ".*/\(.*\).la"`; \ + path=`expr "$$i" : "\(.*/\).*"`; \ + obj=$$path.libs/$$base.a; \ + fi; \ + ;; \ + *.dll.a) \ + ;; \ + *.o | *.a) \ + obj=$$i; \ + esac; \ + objs="$$objs $$obj"; \ + done; \ + echo dlltool --exclude-symbols main,ServiceMain@8 --export-all-symbols \ + --output-def $@.tmp $$objs; \ + dlltool --exclude-symbols main,ServiceMain@8 --export-all-symbols \ + --output-def $@.tmp $$objs; + echo EXPORTS > $@ + $(SED) -e 1,2d -e 's/ @ [0-9][0-9]*//' -e '/\.refptr\./d' $@.tmp | sort >> $@ + $(RM) $@.tmp + +symdummy.c: slapd.def + $(RM) $@ + @echo "generating $@..."; \ + echo "static void never_called() {" > $@.tmp; \ + cat $< | while read line; \ + do \ + set dummy $$line; \ + case $$# in \ + 3) \ + echo "int $$2();" >> $@; \ + echo "$$2();" >> $@.tmp; \ + ;; \ + 4) \ + echo "extern int $$2;" >> $@; \ + echo "$$2 = 0;" >> $@.tmp; \ + ;; \ + esac; \ + done; \ + echo "" >> $@; \ + echo "}" >> $@.tmp; \ + cat $@.tmp >> $@; \ + $(RM) $@.tmp + +libslapd.a: symdummy.o + dlltool --dllname slapd.exe --input-def slapd.def --output-lib $@ + +slapd.exp: libslapd.a + @echo $(LTLINK) -Wl,--base-file,slapd.base -o slapd \ + $(OBJS) symdummy.o version.o $(LIBS) $(WRAP_LIBS); \ + $(LTLINK) -Wl,--base-file,slapd.base -o slapd \ + $(OBJS) symdummy.o version.o $(LIBS) $(WRAP_LIBS) + $(RM) slapd.exe + @echo dlltool --dllname slapd.exe --input-def slapd.def \ + --base-file slapd.base --output-exp $@; \ + dlltool --dllname slapd.exe --input-def slapd.def \ + --base-file slapd.base --output-exp $@; \ + echo $(LTLINK) -Wl,--base-file,slapd.base -o slapd $@ \ + $(OBJS) symdummy.o version.o $(LIBS) $(WRAP_LIBS); \ + $(LTLINK) -Wl,--base-file,slapd.base -o slapd $@ \ + $(OBJS) symdummy.o version.o $(LIBS) $(WRAP_LIBS) + $(RM) slapd.exe + @echo dlltool --dllname slapd.exe --input-def slapd.def \ + --base-file slapd.base --output-exp $@; \ + dlltool --dllname slapd.exe --input-def slapd.def \ + --base-file slapd.base --output-exp $@ + +slapi/libslapi.la: FORCE + (cd slapi; $(MAKE) $(MFLAGS) all) + +slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ + $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ + $(WRAP_LIBS) + $(RM) $(SLAPTOOLS) + for i in $(SLAPTOOLS); do \ + $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); done + + +sslapd: version.o + $(LTLINK) -static -o $@ $(OBJS) version.o $(LIBS) $(WRAP_LIBS) + +dummy $(SLAPD_DYNAMIC_BACKENDS): slapd + cd $@; $(MAKE) $(MFLAGS) all + @touch $@ + +dynamic_overlays: slapd + cd overlays; $(MAKE) $(MFLAGS) dynamic + +# +# In Windows, dynamic backends have to be built after slapd. For this +# reason, we only build static backends now and dynamic backends later. +# +.backend: FORCE + @if test -n "$(SLAPD_STATIC_BACKENDS)"; then \ + echo "building static backends..."; \ + for i in XX $(SLAPD_STATIC_BACKENDS); do \ + if test $$i != XX; then \ + echo " "; echo " cd $$i; $(MAKE) $(MFLAGS) all"; \ + ( cd $$i; $(MAKE) $(MFLAGS) all ); \ + if test $$? != 0; then exit 1; fi; \ + fi; \ + done; \ + echo " "; \ + fi + +libbackends.a: .backend + @$(RM) -r tmp + @$(MKDIR) tmp + @-for i in back-*/*.a; do \ + ( \ + cd tmp; \ + $(AR) x ../$$i; \ + pre=`echo $$i | $(SED) -e 's/\/.*$$//' -e 's/back-//'`; \ + for j in *.o; do \ + mv $$j $${pre}$$j; \ + done; \ + $(AR) ruv libbackends.a *.o 2>&1 | grep -v truncated; \ + $(RM) *.o __.SYMDEF ________64ELEL_ ; \ + echo "added backend library $$i"; \ + echo ""; \ + ); \ + done + @mv -f tmp/libbackends.a ./libbackends.a + @$(RM) -r tmp + @if test ! -z "$(RANLIB)" ; then \ + $(RANLIB) libbackends.a; \ + fi + @ls -l libbackends.a; echo "" + +liboverlays.a: FORCE + cd overlays; $(MAKE) $(MFLAGS) static + +version.c: Makefile + @-$(RM) $@ + $(MKVERSION) -s -n Versionstr slapd > $@ + +version.o: version.c $(OBJS) $(SLAPD_LIBDEPEND) + +backends.o: backends.c $(srcdir)/slap.h + +depend-local-srv: FORCE + @for i in $(SUBDIRS); do \ + if test -d $$i && test -f $$i/Makefile ; then \ + echo; echo " cd $$i; $(MAKE) $(MFLAGS) depend"; \ + ( cd $$i; $(MAKE) $(MFLAGS) depend ); \ + if test $$? != 0 ; then exit 1; fi ; \ + fi; \ + done + @echo "" + +clean-local: + $(RM) *.exp *.def *.base *.a *.objs symdummy.c + +veryclean-local: + $(RM) backends.c + +clean-local-srv: FORCE + @for i in $(SUBDIRS); do \ + if test -d $$i && test -f $$i/Makefile ; then \ + echo; echo " cd $$i; $(MAKE) $(MFLAGS) clean"; \ + ( cd $$i; $(MAKE) $(MFLAGS) clean ); \ + if test $$? != 0 ; then exit 1; fi ; \ + fi; \ + done + $(RM) *.tmp all-cffiles + +veryclean-local-srv: FORCE + @for i in $(SUBDIRS); do \ + if test -d $$i && test -f $$i/Makefile ; then \ + echo; echo " cd $$i; $(MAKE) $(MFLAGS) clean"; \ + ( cd $$i; $(MAKE) $(MFLAGS) veryclean ); \ + fi; \ + done + +install-dbc-maybe: install-dbc-@BUILD_BDB@ install-dbc-@BUILD_HDB@ + +install-dbc-yes: install-db-config +install-dbc-mod: install-db-config +install-dbc-no: + +install-local-srv: install-slapd install-tools \ + install-conf install-dbc-maybe install-schema install-tools + +install-slapd: FORCE + -$(MKDIR) $(DESTDIR)$(libexecdir) + -$(MKDIR) $(DESTDIR)$(localstatedir)/run + $(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \ + slapd$(EXEEXT) $(DESTDIR)$(libexecdir) + @for i in $(SUBDIRS); do \ + if test -d $$i && test -f $$i/Makefile ; then \ + echo; echo " cd $$i; $(MAKE) $(MFLAGS) install"; \ + ( cd $$i; $(MAKE) $(MFLAGS) install ); \ + if test $$? != 0 ; then exit 1; fi ; \ + fi; \ + done + +all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays + @if test $(PLAT) = NT; then \ + sysconfdir=`cygpath -w $(sysconfdir) | \ + $(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \ + localstatedir=`cygpath -w $(localstatedir) | \ + $(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \ + moduledir=`cygpath -w $(moduledir) | \ + $(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \ + else \ + sysconfdir=$(sysconfdir); \ + localstatedir=$(localstatedir); \ + moduledir=$(moduledir); \ + fi; \ + $(SED) -e "s;%SYSCONFDIR%;$$sysconfdir;" \ + -e "s;%LOCALSTATEDIR%;$$localstatedir;" \ + -e "s;%MODULEDIR%;$$moduledir;" \ + $(srcdir)/slapd.conf > slapd.conf.tmp ; \ + $(SED) -e "s;%SYSCONFDIR%;$$sysconfdir;" \ + -e "s;%LOCALSTATEDIR%;$$localstatedir;" \ + -e "s;%MODULEDIR%;$$moduledir;" \ + $(srcdir)/slapd.ldif > slapd.ldif.tmp ; \ + touch all-cffiles + +install-schema: FORCE + @if test -d $(DESTDIR)$(schemadir) ; then \ + echo "MOVING EXISTING SCHEMA DIR to $(DESTDIR)$(schemadir).$$$$" ; \ + mv $(DESTDIR)$(schemadir) $(DESTDIR)$(schemadir).$$$$ ; \ + fi + $(MKDIR) $(DESTDIR)$(schemadir) + @SD=$(DESTDIR)$(schemadir) ; \ + files=`cd $(srcdir)/schema ; echo README *.ldif *.schema` ; \ + for i in $$files ; do \ + echo $(INSTALL) $(INSTALLFLAGS) -m 444 schema/$$i $$SD/$$i ; \ + $(INSTALL) $(INSTALLFLAGS) -m 444 $(srcdir)/schema/$$i $$SD/$$i ; \ + done + +install-conf: FORCE + @-$(MKDIR) $(DESTDIR)$(sysconfdir) + $(INSTALL) $(INSTALLFLAGS) -m 600 slapd.conf.tmp $(DESTDIR)$(sysconfdir)/slapd.conf.default + if test ! -f $(DESTDIR)$(sysconfdir)/slapd.conf; then \ + echo "installing slapd.conf in $(sysconfdir)"; \ + echo "$(INSTALL) $(INSTALLFLAGS) -m 600 slapd.conf.tmp $(DESTDIR)$(sysconfdir)/slapd.conf"; \ + $(INSTALL) $(INSTALLFLAGS) -m 600 slapd.conf.tmp $(DESTDIR)$(sysconfdir)/slapd.conf; \ + else \ + echo "PRESERVING EXISTING CONFIGURATION FILE $(DESTDIR)$(sysconfdir)/slapd.conf" ; \ + fi + $(INSTALL) $(INSTALLFLAGS) -m 600 slapd.ldif.tmp $(DESTDIR)$(sysconfdir)/slapd.ldif.default + if test ! -f $(DESTDIR)$(sysconfdir)/slapd.ldif; then \ + echo "installing slapd.ldif in $(sysconfdir)"; \ + echo "$(INSTALL) $(INSTALLFLAGS) -m 600 slapd.ldif.tmp $(DESTDIR)$(sysconfdir)/slapd.ldif"; \ + $(INSTALL) $(INSTALLFLAGS) -m 600 slapd.ldif.tmp $(DESTDIR)$(sysconfdir)/slapd.ldif; \ + else \ + echo "PRESERVING EXISTING CONFIGURATION FILE $(DESTDIR)$(sysconfdir)/slapd.ldif" ; \ + fi + +install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) + @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + +install-tools: FORCE + -$(MKDIR) $(DESTDIR)$(sbindir) + for i in $(SLAPTOOLS); do \ + $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ + $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ + done + diff --git a/servers/slapd/abandon.c b/servers/slapd/abandon.c new file mode 100644 index 0000000..707101c --- /dev/null +++ b/servers/slapd/abandon.c @@ -0,0 +1,141 @@ +/* abandon.c - decode and handle an ldap abandon operation */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software . + * + * Copyright 1998-2018 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* Portions Copyright (c) 1995 Regents of the University of Michigan. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. + */ + +#include "portable.h" + +#include +#include + +#include "slap.h" + +int +do_abandon( Operation *op, SlapReply *rs ) +{ + ber_int_t id; + Operation *o; + const char *msg; + + Debug( LDAP_DEBUG_TRACE, "%s do_abandon\n", + op->o_log_prefix, 0, 0 ); + + /* + * Parse the abandon request. It looks like this: + * + * AbandonRequest := MessageID + */ + + if ( ber_scanf( op->o_ber, "i", &id ) == LBER_ERROR ) { + Debug( LDAP_DEBUG_ANY, "%s do_abandon: ber_scanf failed\n", + op->o_log_prefix, 0, 0 ); + send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" ); + return SLAPD_DISCONNECT; + } + + Statslog( LDAP_DEBUG_STATS, "%s ABANDON msg=%ld\n", + op->o_log_prefix, (long) id, 0, 0, 0 ); + + if( get_ctrls( op, rs, 0 ) != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "%s do_abandon: get_ctrls failed\n", + op->o_log_prefix, 0, 0 ); + return rs->sr_err; + } + + Debug( LDAP_DEBUG_ARGS, "%s do_abandon: id=%ld\n", + op->o_log_prefix, (long) id, 0 ); + + if( id <= 0 ) { + Debug( LDAP_DEBUG_ANY, "%s do_abandon: bad msgid %ld\n", + op->o_log_prefix, (long) id, 0 ); + return LDAP_SUCCESS; + } + + ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); + + /* Find the operation being abandoned. */ + LDAP_STAILQ_FOREACH( o, &op->o_conn->c_ops, o_next ) { + if ( o->o_msgid == id ) { + break; + } + } + + if ( o == NULL ) { + msg = "not found"; + /* The operation is not active. Just discard it if found. */ + LDAP_STAILQ_FOREACH( o, &op->o_conn->c_pending_ops, o_next ) { + if ( o->o_msgid == id ) { + msg = "discarded"; + /* FIXME: This traverses c_pending_ops yet again. */ + LDAP_STAILQ_REMOVE( &op->o_conn->c_pending_ops, + o, Operation, o_next ); + LDAP_STAILQ_NEXT(o, o_next) = NULL; + op->o_conn->c_n_ops_pending--; + slap_op_free( o, NULL ); + break; + } + } + + } else if ( o->o_tag == LDAP_REQ_BIND + || o->o_tag == LDAP_REQ_UNBIND + || o->o_tag == LDAP_REQ_ABANDON ) { + msg = "cannot be abandoned"; + +#if 0 /* Would break o_abandon used as "suppress response" flag, ITS#6138 */ + } else if ( o->o_abandon ) { + msg = "already being abandoned"; +#endif + + } else { + msg = "found"; + /* Set the o_abandon flag in the to-be-abandoned operation. + * The backend can periodically check this flag and abort the + * operation at a convenient time. However it should "send" + * the response anyway, with result code SLAPD_ABANDON. + * The functions in result.c will intercept the message. + */ + o->o_abandon = 1; + op->orn_msgid = id; + op->o_bd = frontendDB; + rs->sr_err = frontendDB->be_abandon( op, rs ); + } + + ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); + + Debug( LDAP_DEBUG_TRACE, "%s do_abandon: op=%ld %s\n", + op->o_log_prefix, (long) id, msg ); + return rs->sr_err; +} + +int +fe_op_abandon( Operation *op, SlapReply *rs ) +{ + LDAP_STAILQ_FOREACH( op->o_bd, &backendDB, be_next ) { + if ( op->o_bd->be_abandon ) { + (void)op->o_bd->be_abandon( op, rs ); + } + } + + return LDAP_SUCCESS; +} diff --git a/servers/slapd/aci.c b/servers/slapd/aci.c new file mode 100644 index 0000000..4d719b1 --- /dev/null +++ b/servers/slapd/aci.c @@ -0,0 +1,1835 @@ +/* aci.c - routines to parse and check acl's */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software . + * + * Copyright 1998-2018 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* Portions Copyright (c) 1995 Regents of the University of Michigan. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. + */ + +#include "portable.h" + +#ifdef SLAPD_ACI_ENABLED + +#include + +#include +#include +#include +#include +#include + +#include "slap.h" +#include "lber_pvt.h" +#include "lutil.h" + +/* use most appropriate size */ +#define ACI_BUF_SIZE 1024 + +/* move to "stable" when no longer experimental */ +#define SLAPD_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1" + +/* change this to "OpenLDAPset" */ +#define SLAPD_ACI_SET_ATTR "template" + +typedef enum slap_aci_scope_t { + SLAP_ACI_SCOPE_ENTRY = 0x1, + SLAP_ACI_SCOPE_CHILDREN = 0x2, + SLAP_ACI_SCOPE_SUBTREE = ( SLAP_ACI_SCOPE_ENTRY | SLAP_ACI_SCOPE_CHILDREN ) +} slap_aci_scope_t; + +enum { + ACI_BV_ENTRY, + ACI_BV_CHILDREN, + ACI_BV_ONELEVEL, + ACI_BV_SUBTREE, + + ACI_BV_BR_ENTRY, + ACI_BV_BR_CHILDREN, + ACI_BV_BR_ALL, + + ACI_BV_ACCESS_ID, + ACI_BV_PUBLIC, + ACI_BV_USERS, + ACI_BV_SELF, + ACI_BV_DNATTR, + ACI_BV_GROUP, + ACI_BV_ROLE, + ACI_BV_SET, + ACI_BV_SET_REF, + + ACI_BV_GRANT, + ACI_BV_DENY, + + ACI_BV_GROUP_CLASS, + ACI_BV_GROUP_ATTR, + ACI_BV_ROLE_CLASS, + ACI_BV_ROLE_ATTR, + + ACI_BV_SET_ATTR, + + ACI_BV_LAST +}; + +static const struct berval aci_bv[] = { + /* scope */ + BER_BVC("entry"), + BER_BVC("children"), + BER_BVC("onelevel"), + BER_BVC("subtree"), + + /* */ + BER_BVC("[entry]"), + BER_BVC("[children]"), + BER_BVC("[all]"), + + /* type */ + BER_BVC("access-id"), + BER_BVC("public"), + BER_BVC("users"), + BER_BVC("self"), + BER_BVC("dnattr"), + BER_BVC("group"), + BER_BVC("role"), + BER_BVC("set"), + BER_BVC("set-ref"), + + /* actions */ + BER_BVC("grant"), + BER_BVC("deny"), + + /* schema */ + BER_BVC(SLAPD_GROUP_CLASS), + BER_BVC(SLAPD_GROUP_ATTR), + BER_BVC(SLAPD_ROLE_CLASS), + BER_BVC(SLAPD_ROLE_ATTR), + + BER_BVC(SLAPD_ACI_SET_ATTR), + + BER_BVNULL +}; + +static AttributeDescription *slap_ad_aci; + +static int +OpenLDAPaciValidate( + Syntax *syntax, + struct berval *val ); + +static int +OpenLDAPaciPretty( + Syntax *syntax, + struct berval *val, + struct berval *out, + void *ctx ); + +static int +OpenLDAPaciNormalize( + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *out, + void *ctx ); + +#define OpenLDAPaciMatch octetStringMatch + +static int +aci_list_map_rights( + struct berval *list ) +{ + struct berval bv; + slap_access_t mask; + int i; + + ACL_INIT( mask ); + for ( i = 0; acl_get_part( list, i, ',', &bv ) >= 0; i++ ) { + if ( bv.bv_len <= 0 ) { + continue; + } + + switch ( *bv.bv_val ) { + case 'x': + /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt does not + * define any equivalent to the AUTH right, so I've just used + * 'x' for now. + */ + ACL_PRIV_SET(mask, ACL_PRIV_AUTH); + break; + case 'd': + /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt defines + * the right 'd' to mean "delete"; we hijack it to mean + * "disclose" for consistency wuith the rest of slapd. + */ + ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE); + break; + case 'c': + ACL_PRIV_SET(mask, ACL_PRIV_COMPARE); + break; + case 's': + /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt defines + * the right 's' to mean "set", but in the examples states + * that the right 's' means "search". The latter definition + * is used here. + */ + ACL_PRIV_SET(mask, ACL_PRIV_SEARCH); + break; + case 'r': + ACL_PRIV_SET(mask, ACL_PRIV_READ); + break; + case 'w': + ACL_PRIV_SET(mask, ACL_PRIV_WRITE); + break; + default: + break; + } + + } + + return mask; +} + +static int +aci_list_has_attr( + struct berval *list, + const struct berval *attr, + struct berval *val ) +{ + struct berval bv, left, right; + int i; + + for ( i = 0; acl_get_part( list, i, ',', &bv ) >= 0; i++ ) { + if ( acl_get_part(&bv, 0, '=', &left ) < 0 + || acl_get_part( &bv, 1, '=', &right ) < 0 ) + { + if ( ber_bvstrcasecmp( attr, &bv ) == 0 ) { + return(1); + } + + } else if ( val == NULL ) { + if ( ber_bvstrcasecmp( attr, &left ) == 0 ) { + return(1); + } + + } else { + if ( ber_bvstrcasecmp( attr, &left ) == 0 ) { + /* FIXME: this is also totally undocumented! */ + /* this is experimental code that implements a + * simple (prefix) match of the attribute value. + * the ACI draft does not provide for aci's that + * apply to specific values, but it would be + * nice to have. If the part of an aci's + * rights list is of the form =, + * that means the aci applies only to attrs with + * the given value. Furthermore, if the attr is + * of the form =*, then is + * treated as a prefix, and the aci applies to + * any value with that prefix. + * + * Ideally, this would allow r.e. matches. + */ + if ( acl_get_part( &right, 0, '*', &left ) < 0 + || right.bv_len <= left.bv_len ) + { + if ( ber_bvstrcasecmp( val, &right ) == 0 ) { + return 1; + } + + } else if ( val->bv_len >= left.bv_len ) { + if ( strncasecmp( val->bv_val, left.bv_val, left.bv_len ) == 0 ) { + return(1); + } + } + } + } + } + + return 0; +} + +static slap_access_t +aci_list_get_attr_rights( + struct berval *list, + const struct berval *attr, + struct berval *val ) +{ + struct berval bv; + slap_access_t mask; + int i; + + /* loop through each rights/attr pair, skip first part (action) */ + ACL_INIT(mask); + for ( i = 1; acl_get_part( list, i + 1, ';', &bv ) >= 0; i += 2 ) { + if ( aci_list_has_attr( &bv, attr, val ) == 0 ) { + Debug( LDAP_DEBUG_ACL, + " <= aci_list_get_attr_rights " + "test %s for %s -> failed\n", + bv.bv_val, attr->bv_val, 0 ); + continue; + } + + Debug( LDAP_DEBUG_ACL, + " <= aci_list_get_attr_rights " + "test %s for %s -> ok\n", + bv.bv_val, attr->bv_val, 0 ); + + if ( acl_get_part( list, i, ';', &bv ) < 0 ) { + Debug( LDAP_DEBUG_ACL, + " <= aci_list_get_attr_rights " + "test no rights\n", + 0, 0, 0 ); + continue; + } + + mask |= aci_list_map_rights( &bv ); + Debug( LDAP_DEBUG_ACL, + " <= aci_list_get_attr_rights " + "rights %s to mask 0x%x\n", + bv.bv_val, mask, 0 ); + } + + return mask; +} + +static int +aci_list_get_rights( + struct berval *list, + struct berval *attr, + struct berval *val, + slap_access_t *grant, + slap_access_t *deny ) +{ + struct berval perm, actn, baseattr; + slap_access_t *mask; + int i, found; + + if ( attr == NULL || BER_BVISEMPTY( attr ) ) { + attr = (struct berval *)&aci_bv[ ACI_BV_ENTRY ]; + + } else if ( acl_get_part( attr, 0, ';', &baseattr ) > 0 ) { + attr = &baseattr; + } + found = 0; + ACL_INIT(*grant); + ACL_INIT(*deny); + /* loop through each permissions clause */ + for ( i = 0; acl_get_part( list, i, '$', &perm ) >= 0; i++ ) { + if ( acl_get_part( &perm, 0, ';', &actn ) < 0 ) { + continue; + } + + if ( ber_bvstrcasecmp( &aci_bv[ ACI_BV_GRANT ], &actn ) == 0 ) { + mask = grant; + + } else if ( ber_bvstrcasecmp( &aci_bv[ ACI_BV_DENY ], &actn ) == 0 ) { + mask = deny; + + } else { + continue; + } + + *mask |= aci_list_get_attr_rights( &perm, attr, val ); + *mask |= aci_list_get_attr_rights( &perm, &aci_bv[ ACI_BV_BR_ALL ], NULL ); + + if ( *mask != ACL_PRIV_NONE ) { + found = 1; + } + } + + return found; +} + +static int +aci_group_member ( + struct berval *subj, + const struct berval *defgrpoc, + const struct berval *defgrpat, + Operation *op, + Entry *e, + int nmatch, + regmatch_t *matches +) +{ + struct berval subjdn; + struct berval grpoc; + struct berval grpat; + ObjectClass *grp_oc = NULL; + AttributeDescription *grp_ad = NULL; + const char *text; + int rc; + + /* format of string is "{group|role}/objectClassValue/groupAttrName" */ + if ( acl_get_part( subj, 0, '/', &subjdn ) < 0 ) { + return 0; + } + + if ( acl_get_part( subj, 1, '/', &grpoc ) < 0 ) { + grpoc = *defgrpoc; + } + + if ( acl_get_part( subj, 2, '/', &grpat ) < 0 ) { + grpat = *defgrpat; + } + + rc = slap_bv2ad( &grpat, &grp_ad, &text ); + if ( rc != LDAP_SUCCESS ) { + rc = 0; + goto done; + } + rc = 0; + + grp_oc = oc_bvfind( &grpoc ); + + if ( grp_oc != NULL && grp_ad != NULL ) { + char buf[ ACI_BUF_SIZE ]; + struct berval bv, ndn; + AclRegexMatches amatches = { 0 }; + + amatches.dn_count = nmatch; + AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) ); + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = (char *)&buf; + if ( acl_string_expand( &bv, &subjdn, + &e->e_nname, NULL, &amatches ) ) + { + rc = LDAP_OTHER; + goto done; + } + + if ( dnNormalize( 0, NULL, NULL, &bv, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS ) + { + rc = ( backend_group( op, e, &ndn, &op->o_ndn, + grp_oc, grp_ad ) == 0 ); + slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); + } + } + +done: + return rc; +} + +static int +aci_mask( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + struct berval *aci, + int nmatch, + regmatch_t *matches, + slap_access_t *grant, + slap_access_t *deny, + slap_aci_scope_t asserted_scope ) +{ + struct berval bv, + scope, + perms, + type, + opts, + sdn; + int rc; + + ACL_INIT( *grant ); + ACL_INIT( *deny ); + + assert( !BER_BVISNULL( &desc->ad_cname ) ); + + /* parse an aci of the form: + oid # scope # action;rights;attr;rights;attr + $ action;rights;attr;rights;attr # type # subject + + [NOTE: the following comment is very outdated, + as the draft version it refers to (Ando, 2004-11-20)]. + + See draft-ietf-ldapext-aci-model-04.txt section 9.1 for + a full description of the format for this attribute. + Differences: "this" in the draft is "self" here, and + "self" and "public" is in the position of type. + + = {entry|children|subtree} + = {public|users|access-id|subtree|onelevel|children| + self|dnattr|group|role|set|set-ref} + + This routine now supports scope={ENTRY,CHILDREN} + with the semantics: + - ENTRY applies to "entry" and "subtree"; + - CHILDREN applies to "children" and "subtree" + */ + + /* check that the aci has all 5 components */ + if ( acl_get_part( aci, 4, '#', NULL ) < 0 ) { + return 0; + } + + /* check that the aci family is supported */ + /* FIXME: the OID is ignored? */ + if ( acl_get_part( aci, 0, '#', &bv ) < 0 ) { + return 0; + } + + /* check that the scope matches */ + if ( acl_get_part( aci, 1, '#', &scope ) < 0 ) { + return 0; + } + + /* note: scope can be either ENTRY or CHILDREN; + * they respectively match "entry" and "children" in bv + * both match "subtree" */ + switch ( asserted_scope ) { + case SLAP_ACI_SCOPE_ENTRY: + if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_ENTRY ] ) != 0 + && ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 ) + { + return 0; + } + break; + + case SLAP_ACI_SCOPE_CHILDREN: + if ( ber_bvcmp( &scope, &aci_bv[ ACI_BV_CHILDREN ] ) != 0 + && ber_bvstrcasecmp( &scope, &aci_bv[ ACI_BV_SUBTREE ] ) != 0 ) + { + return 0; + } + break; + + case SLAP_ACI_SCOPE_SUBTREE: + /* TODO: add assertion? */ + return 0; + } + + /* get the list of permissions clauses, bail if empty */ + if ( acl_get_part( aci, 2, '#', &perms ) <= 0 ) { + assert( 0 ); + return 0; + } + + /* check if any permissions allow desired access */ + if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) { + return 0; + } + + /* see if we have a DN match */ + if ( acl_get_part( aci, 3, '#', &type ) < 0 ) { + assert( 0 ); + return 0; + } + + /* see if we have a public (i.e. anonymous) access */ + if ( ber_bvcmp( &aci_bv[ ACI_BV_PUBLIC ], &type ) == 0 ) { + return 1; + } + + /* otherwise require an identity */ + if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) { + return 0; + } + + /* see if we have a users access */ + if ( ber_bvcmp( &aci_bv[ ACI_BV_USERS ], &type ) == 0 ) { + return 1; + } + + /* NOTE: this may fail if a DN contains a valid '#' (unescaped); + * just grab all the berval up to its end (ITS#3303). + * NOTE: the problem could be solved by providing the DN with + * the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would + * become "cn=Foo\23Bar" and be safely used by aci_mask(). */ +#if 0 + if ( acl_get_part( aci, 4, '#', &sdn ) < 0 ) { + return 0; + } +#endif + sdn.bv_val = type.bv_val + type.bv_len + STRLENOF( "#" ); + sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val ); + + /* get the type options, if any */ + if ( acl_get_part( &type, 1, '/', &opts ) > 0 ) { + opts.bv_len = type.bv_len - ( opts.bv_val - type.bv_val ); + type.bv_len = opts.bv_val - type.bv_val - 1; + + } else { + BER_BVZERO( &opts ); + } + + if ( ber_bvcmp( &aci_bv[ ACI_BV_ACCESS_ID ], &type ) == 0 ) { + return dn_match( &op->o_ndn, &sdn ); + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_SUBTREE ], &type ) == 0 ) { + return dnIsSuffix( &op->o_ndn, &sdn ); + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_ONELEVEL ], &type ) == 0 ) { + struct berval pdn; + + dnParent( &sdn, &pdn ); + + return dn_match( &op->o_ndn, &pdn ); + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_CHILDREN ], &type ) == 0 ) { + return ( !dn_match( &op->o_ndn, &sdn ) && dnIsSuffix( &op->o_ndn, &sdn ) ); + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_SELF ], &type ) == 0 ) { + return dn_match( &op->o_ndn, &e->e_nname ); + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_DNATTR ], &type ) == 0 ) { + Attribute *at; + AttributeDescription *ad = NULL; + const char *text; + + rc = slap_bv2ad( &sdn, &ad, &text ); + assert( rc == LDAP_SUCCESS ); + + rc = 0; + for ( at = attrs_find( e->e_attrs, ad ); + at != NULL; + at = attrs_find( at->a_next, ad ) ) + { + if ( attr_valfind( at, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + &op->o_ndn, NULL, op->o_tmpmemctx ) == 0 ) + { + rc = 1; + break; + } + } + + return rc; + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_GROUP ], &type ) == 0 ) { + struct berval oc, + at; + + if ( BER_BVISNULL( &opts ) ) { + oc = aci_bv[ ACI_BV_GROUP_CLASS ]; + at = aci_bv[ ACI_BV_GROUP_ATTR ]; + + } else { + if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) { + assert( 0 ); + } + + if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) { + at = aci_bv[ ACI_BV_GROUP_ATTR ]; + } + } + + if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) ) + { + return 1; + } + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_ROLE ], &type ) == 0 ) { + struct berval oc, + at; + + if ( BER_BVISNULL( &opts ) ) { + oc = aci_bv[ ACI_BV_ROLE_CLASS ]; + at = aci_bv[ ACI_BV_ROLE_ATTR ]; + + } else { + if ( acl_get_part( &opts, 0, '/', &oc ) < 0 ) { + assert( 0 ); + } + + if ( acl_get_part( &opts, 1, '/', &at ) < 0 ) { + at = aci_bv[ ACI_BV_ROLE_ATTR ]; + } + } + + if ( aci_group_member( &sdn, &oc, &at, op, e, nmatch, matches ) ) + { + return 1; + } + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET ], &type ) == 0 ) { + if ( acl_match_set( &sdn, op, e, NULL ) ) { + return 1; + } + + } else if ( ber_bvcmp( &aci_bv[ ACI_BV_SET_REF ], &type ) == 0 ) { + if ( acl_match_set( &sdn, op, e, (struct berval *)&aci_bv[ ACI_BV_SET_ATTR ] ) ) { + return 1; + } + + } else { + /* it passed normalization! */ + assert( 0 ); + } + + return 0; +} + +static int +aci_init( void ) +{ + /* OpenLDAP eXperimental Syntax */ + static slap_syntax_defs_rec aci_syntax_def = { + "( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )", + SLAP_SYNTAX_HIDE, + NULL, + OpenLDAPaciValidate, + OpenLDAPaciPretty + }; + static slap_mrule_defs_rec aci_mr_def = { + "( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' " + "SYNTAX 1.3.6.1.4.1.4203.666.2.1 )", + SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL, + NULL, OpenLDAPaciNormalize, OpenLDAPaciMatch, + NULL, NULL, + NULL + }; + static struct { + char *name; + char *desc; + slap_mask_t flags; + AttributeDescription **ad; + } aci_at = { + "OpenLDAPaci", "( 1.3.6.1.4.1.4203.666.1.5 " + "NAME 'OpenLDAPaci' " + "DESC 'OpenLDAP access control information (experimental)' " + "EQUALITY OpenLDAPaciMatch " + "SYNTAX 1.3.6.1.4.1.4203.666.2.1 " + "USAGE directoryOperation )", + SLAP_AT_HIDE, + &slap_ad_aci + }; + + int rc; + + /* ACI syntax */ + rc = register_syntax( &aci_syntax_def ); + if ( rc != 0 ) { + return rc; + } + + /* ACI equality rule */ + rc = register_matching_rule( &aci_mr_def ); + if ( rc != 0 ) { + return rc; + } + + /* ACI attribute */ + rc = register_at( aci_at.desc, aci_at.ad, 0 ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "aci_init: at_register failed\n", 0, 0, 0 ); + return rc; + } + + /* install flags */ + (*aci_at.ad)->ad_type->sat_flags |= aci_at.flags; + + return rc; +} + +static int +dynacl_aci_parse( + const char *fname, + int lineno, + const char *opts, + slap_style_t sty, + const char *right, + void **privp ) +{ + AttributeDescription *ad = NULL; + const char *text = NULL; + + if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) { + fprintf( stderr, "%s: line %d: " + "inappropriate style \"%s\" in \"aci\" by clause\n", + fname, lineno, style_strings[sty] ); + return -1; + } + + if ( right != NULL && *right != '\0' ) { + if ( slap_str2ad( right, &ad, &text ) != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: aci \"%s\": %s\n", + fname, lineno, right, text ); + return -1; + } + + } else { + ad = slap_ad_aci; + } + + if ( !is_at_syntax( ad->ad_type, SLAPD_ACI_SYNTAX) ) { + fprintf( stderr, "%s: line %d: " + "aci \"%s\": inappropriate syntax: %s\n", + fname, lineno, right, + ad->ad_type->sat_syntax_oid ); + return -1; + } + + *privp = (void *)ad; + + return 0; +} + +static int +dynacl_aci_unparse( void *priv, struct berval *bv ) +{ + AttributeDescription *ad = ( AttributeDescription * )priv; + char *ptr; + + assert( ad != NULL ); + + bv->bv_val = ch_malloc( STRLENOF(" aci=") + ad->ad_cname.bv_len + 1 ); + ptr = lutil_strcopy( bv->bv_val, " aci=" ); + ptr = lutil_strcopy( ptr, ad->ad_cname.bv_val ); + bv->bv_len = ptr - bv->bv_val; + + return 0; +} + +static int +dynacl_aci_mask( + void *priv, + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + int nmatch, + regmatch_t *matches, + slap_access_t *grantp, + slap_access_t *denyp ) +{ + AttributeDescription *ad = ( AttributeDescription * )priv; + Attribute *at; + slap_access_t tgrant, tdeny, grant, deny; +#ifdef LDAP_DEBUG + char accessmaskbuf[ACCESSMASK_MAXLEN]; + char accessmaskbuf1[ACCESSMASK_MAXLEN]; +#endif /* LDAP_DEBUG */ + + if ( BER_BVISEMPTY( &e->e_nname ) ) { + /* no ACIs in the root DSE */ + return -1; + } + + /* start out with nothing granted, nothing denied */ + ACL_INIT(tgrant); + ACL_INIT(tdeny); + + /* get the aci attribute */ + at = attr_find( e->e_attrs, ad ); + if ( at != NULL ) { + int i; + + /* the aci is an multi-valued attribute. The + * rights are determined by OR'ing the individual + * rights given by the acis. + */ + for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) { + if ( aci_mask( op, e, desc, val, &at->a_nvals[i], + nmatch, matches, &grant, &deny, + SLAP_ACI_SCOPE_ENTRY ) != 0 ) + { + tgrant |= grant; + tdeny |= deny; + } + } + + Debug( LDAP_DEBUG_ACL, " <= aci_mask grant %s deny %s\n", + accessmask2str( tgrant, accessmaskbuf, 1 ), + accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 ); + } + + /* If the entry level aci didn't contain anything valid for the + * current operation, climb up the tree and evaluate the + * acis with scope set to subtree + */ + if ( tgrant == ACL_PRIV_NONE && tdeny == ACL_PRIV_NONE ) { + struct berval parent_ndn; + + dnParent( &e->e_nname, &parent_ndn ); + while ( !BER_BVISEMPTY( &parent_ndn ) ){ + int i; + BerVarray bvals = NULL; + int ret, stop; + + /* to solve the chicken'n'egg problem of accessing + * the OpenLDAPaci attribute, the direct access + * to the entry's attribute is unchecked; however, + * further accesses to OpenLDAPaci values in the + * ancestors occur through backend_attribute(), i.e. + * with the identity of the operation, requiring + * further access checking. For uniformity, this + * makes further requests occur as the rootdn, if + * any, i.e. searching for the OpenLDAPaci attribute + * is considered an internal search. If this is not + * acceptable, then the same check needs be performed + * when accessing the entry's attribute. */ + struct berval save_o_dn, save_o_ndn; + + if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) { + save_o_dn = op->o_dn; + save_o_ndn = op->o_ndn; + + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + } + + Debug( LDAP_DEBUG_ACL, " checking ACI of \"%s\"\n", parent_ndn.bv_val, 0, 0 ); + ret = backend_attribute( op, NULL, &parent_ndn, ad, &bvals, ACL_AUTH ); + + if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) { + op->o_dn = save_o_dn; + op->o_ndn = save_o_ndn; + } + + switch ( ret ) { + case LDAP_SUCCESS : + stop = 0; + if ( !bvals ) { + break; + } + + for ( i = 0; !BER_BVISNULL( &bvals[i] ); i++ ) { + if ( aci_mask( op, e, desc, val, + &bvals[i], + nmatch, matches, + &grant, &deny, + SLAP_ACI_SCOPE_CHILDREN ) != 0 ) + { + tgrant |= grant; + tdeny |= deny; + /* evaluation stops as soon as either a "deny" or a + * "grant" directive matches. + */ + if ( tgrant != ACL_PRIV_NONE || tdeny != ACL_PRIV_NONE ) { + stop = 1; + } + } + Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", + accessmask2str( tgrant, accessmaskbuf, 1 ), + accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 ); + } + break; + + case LDAP_NO_SUCH_ATTRIBUTE: + /* just go on if the aci-Attribute is not present in + * the current entry + */ + Debug( LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0 ); + stop = 0; + break; + + case LDAP_NO_SUCH_OBJECT: + /* We have reached the base object */ + Debug( LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0 ); + stop = 1; + break; + + default: + stop = 1; + break; + } + + if ( stop ) { + break; + } + dnParent( &parent_ndn, &parent_ndn ); + } + } + + *grantp = tgrant; + *denyp = tdeny; + + return 0; +} + +/* need to register this at some point */ +static slap_dynacl_t dynacl_aci = { + "aci", + dynacl_aci_parse, + dynacl_aci_unparse, + dynacl_aci_mask, + NULL, + NULL, + NULL +}; + +int +dynacl_aci_init( void ) +{ + int rc; + + rc = aci_init(); + + if ( rc == 0 ) { + rc = slap_dynacl_register( &dynacl_aci ); + } + + return rc; +} + + +/* ACI syntax validation */ + +/* + * Matches given berval to array of bervals + * Returns: + * >=0 if one if the array elements equals to this berval + * -1 if string was not found in array + */ +static int +bv_getcaseidx( + struct berval *bv, + const struct berval *arr[] ) +{ + int i; + + if ( BER_BVISEMPTY( bv ) ) { + return -1; + } + + for ( i = 0; arr[ i ] != NULL ; i++ ) { + if ( ber_bvstrcasecmp( bv, arr[ i ] ) == 0 ) { + return i; + } + } + + return -1; +} + + +/* Returns what have left in input berval after current sub */ +static void +bv_get_tail( + struct berval *val, + struct berval *sub, + struct berval *tail ) +{ + int head_len; + + tail->bv_val = sub->bv_val + sub->bv_len; + head_len = (unsigned long) tail->bv_val - (unsigned long) val->bv_val; + tail->bv_len = val->bv_len - head_len; +} + + +/* + * aci is accepted in following form: + * oid#scope#rights#type#subject + * Where: + * oid := numeric OID (currently ignored) + * scope := entry|children|subtree + * rights := right[[$right]...] + * right := (grant|deny);action + * action := perms;attrs[[;perms;attrs]...] + * perms := perm[[,perm]...] + * perm := c|s|r|w|x + * attrs := attribute[[,attribute]..]|"[all]" + * attribute := attributeType|attributeType=attributeValue|attributeType=attributeValuePrefix* + * type := public|users|self|dnattr|group|role|set|set-ref| + * access_id|subtree|onelevel|children + */ +static int +OpenLDAPaciValidatePerms( + struct berval *perms ) +{ + ber_len_t i; + + for ( i = 0; i < perms->bv_len; ) { + switch ( perms->bv_val[ i ] ) { + case 'x': + case 'd': + case 'c': + case 's': + case 'r': + case 'w': + break; + + default: + Debug( LDAP_DEBUG_ACL, "aciValidatePerms: perms needs to be one of x,d,c,s,r,w in '%s'\n", perms->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + if ( ++i == perms->bv_len ) { + return LDAP_SUCCESS; + } + + while ( i < perms->bv_len && perms->bv_val[ i ] == ' ' ) + i++; + + assert( i != perms->bv_len ); + + if ( perms->bv_val[ i ] != ',' ) { + Debug( LDAP_DEBUG_ACL, "aciValidatePerms: missing comma in '%s'\n", perms->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + do { + i++; + } while ( perms->bv_val[ i ] == ' ' ); + } + + return LDAP_SUCCESS; +} + +static const struct berval *ACIgrantdeny[] = { + &aci_bv[ ACI_BV_GRANT ], + &aci_bv[ ACI_BV_DENY ], + NULL +}; + +static int +OpenLDAPaciValidateRight( + struct berval *action ) +{ + struct berval bv = BER_BVNULL; + int i; + + /* grant|deny */ + if ( acl_get_part( action, 0, ';', &bv ) < 0 || + bv_getcaseidx( &bv, ACIgrantdeny ) == -1 ) + { + Debug( LDAP_DEBUG_ACL, "aciValidateRight: '%s' must be either 'grant' or 'deny'\n", bv.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + for ( i = 0; acl_get_part( action, i + 1, ';', &bv ) >= 0; i++ ) { + if ( i & 1 ) { + /* perms */ + if ( OpenLDAPaciValidatePerms( &bv ) != LDAP_SUCCESS ) + { + return LDAP_INVALID_SYNTAX; + } + + } else { + /* attr */ + AttributeDescription *ad; + const char *text; + struct berval attr, left, right; + int j; + + /* could be "[all]" or an attribute description */ + if ( ber_bvstrcasecmp( &bv, &aci_bv[ ACI_BV_BR_ALL ] ) == 0 ) { + continue; + } + + + for ( j = 0; acl_get_part( &bv, j, ',', &attr ) >= 0; j++ ) + { + ad = NULL; + text = NULL; + if ( acl_get_part( &attr, 0, '=', &left ) < 0 + || acl_get_part( &attr, 1, '=', &right ) < 0 ) + { + if ( slap_bv2ad( &attr, &ad, &text ) != LDAP_SUCCESS ) + { + Debug( LDAP_DEBUG_ACL, "aciValidateRight: unknown attribute: '%s'\n", attr.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + } else { + if ( slap_bv2ad( &left, &ad, &text ) != LDAP_SUCCESS ) + { + Debug( LDAP_DEBUG_ACL, "aciValidateRight: unknown attribute: '%s'\n", left.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + } + } + } + } + + /* "perms;attr" go in pairs */ + if ( i > 0 && ( i & 1 ) == 0 ) { + return LDAP_SUCCESS; + + } else { + Debug( LDAP_DEBUG_ACL, "aciValidateRight: perms:attr need to be pairs in '%s'\n", action->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + return LDAP_SUCCESS; +} + +static int +OpenLDAPaciNormalizeRight( + struct berval *action, + struct berval *naction, + void *ctx ) +{ + struct berval grantdeny, + perms = BER_BVNULL, + bv = BER_BVNULL; + int idx, + i; + + /* grant|deny */ + if ( acl_get_part( action, 0, ';', &grantdeny ) < 0 ) { + Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: missing ';' in '%s'\n", action->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + idx = bv_getcaseidx( &grantdeny, ACIgrantdeny ); + if ( idx == -1 ) { + Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: '%s' must be grant or deny\n", grantdeny.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + ber_dupbv_x( naction, (struct berval *)ACIgrantdeny[ idx ], ctx ); + + for ( i = 1; acl_get_part( action, i, ';', &bv ) >= 0; i++ ) { + struct berval nattrs = BER_BVNULL; + int freenattrs = 1; + if ( i & 1 ) { + /* perms */ + if ( OpenLDAPaciValidatePerms( &bv ) != LDAP_SUCCESS ) + { + return LDAP_INVALID_SYNTAX; + } + perms = bv; + + } else { + /* attr */ + char *ptr; + + /* could be "[all]" or an attribute description */ + if ( ber_bvstrcasecmp( &bv, &aci_bv[ ACI_BV_BR_ALL ] ) == 0 ) { + nattrs = aci_bv[ ACI_BV_BR_ALL ]; + freenattrs = 0; + + } else { + AttributeDescription *ad = NULL; + AttributeDescription adstatic= { 0 }; + const char *text = NULL; + struct berval attr, left, right; + int j; + int len; + + for ( j = 0; acl_get_part( &bv, j, ',', &attr ) >= 0; j++ ) + { + ad = NULL; + text = NULL; + /* openldap 2.1 aci compabitibility [entry] -> entry */ + if ( ber_bvstrcasecmp( &attr, &aci_bv[ ACI_BV_BR_ENTRY ] ) == 0 ) { + ad = &adstatic; + adstatic.ad_cname = aci_bv[ ACI_BV_ENTRY ]; + + /* openldap 2.1 aci compabitibility [children] -> children */ + } else if ( ber_bvstrcasecmp( &attr, &aci_bv[ ACI_BV_BR_CHILDREN ] ) == 0 ) { + ad = &adstatic; + adstatic.ad_cname = aci_bv[ ACI_BV_CHILDREN ]; + + /* openldap 2.1 aci compabitibility [all] -> only [all] */ + } else if ( ber_bvstrcasecmp( &attr, &aci_bv[ ACI_BV_BR_ALL ] ) == 0 ) { + ber_memfree_x( nattrs.bv_val, ctx ); + nattrs = aci_bv[ ACI_BV_BR_ALL ]; + freenattrs = 0; + break; + + } else if ( acl_get_part( &attr, 0, '=', &left ) < 0 + || acl_get_part( &attr, 1, '=', &right ) < 0 ) + { + if ( slap_bv2ad( &attr, &ad, &text ) != LDAP_SUCCESS ) + { + ber_memfree_x( nattrs.bv_val, ctx ); + Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: unknown attribute: '%s'\n", attr.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + } else { + if ( slap_bv2ad( &left, &ad, &text ) != LDAP_SUCCESS ) + { + ber_memfree_x( nattrs.bv_val, ctx ); + Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: unknown attribute: '%s'\n", left.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + } + + + len = nattrs.bv_len + ( !BER_BVISEMPTY( &nattrs ) ? STRLENOF( "," ) : 0 ) + + ad->ad_cname.bv_len; + nattrs.bv_val = ber_memrealloc_x( nattrs.bv_val, len + 1, ctx ); + ptr = &nattrs.bv_val[ nattrs.bv_len ]; + if ( !BER_BVISEMPTY( &nattrs ) ) { + *ptr++ = ','; + } + ptr = lutil_strncopy( ptr, ad->ad_cname.bv_val, ad->ad_cname.bv_len ); + ptr[ 0 ] = '\0'; + nattrs.bv_len = len; + } + + } + + naction->bv_val = ber_memrealloc_x( naction->bv_val, + naction->bv_len + STRLENOF( ";" ) + + perms.bv_len + STRLENOF( ";" ) + + nattrs.bv_len + 1, + ctx ); + + ptr = &naction->bv_val[ naction->bv_len ]; + ptr[ 0 ] = ';'; + ptr++; + ptr = lutil_strncopy( ptr, perms.bv_val, perms.bv_len ); + ptr[ 0 ] = ';'; + ptr++; + ptr = lutil_strncopy( ptr, nattrs.bv_val, nattrs.bv_len ); + ptr[ 0 ] = '\0'; + naction->bv_len += STRLENOF( ";" ) + perms.bv_len + + STRLENOF( ";" ) + nattrs.bv_len; + if ( freenattrs ) { + ber_memfree_x( nattrs.bv_val, ctx ); + } + } + } + + /* perms;attr go in pairs */ + if ( i > 1 && ( i & 1 ) ) { + return LDAP_SUCCESS; + + } else { + Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: perms:attr need to be pairs in '%s'\n", action->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } +} + +static int +OpenLDAPaciValidateRights( + struct berval *actions ) + +{ + struct berval bv = BER_BVNULL; + int i; + + for ( i = 0; acl_get_part( actions, i, '$', &bv ) >= 0; i++ ) { + if ( OpenLDAPaciValidateRight( &bv ) != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + return LDAP_SUCCESS; +} + +static int +OpenLDAPaciNormalizeRights( + struct berval *actions, + struct berval *nactions, + void *ctx ) + +{ + struct berval bv = BER_BVNULL; + int i; + + BER_BVZERO( nactions ); + for ( i = 0; acl_get_part( actions, i, '$', &bv ) >= 0; i++ ) { + int rc; + struct berval nbv; + + rc = OpenLDAPaciNormalizeRight( &bv, &nbv, ctx ); + if ( rc != LDAP_SUCCESS ) { + ber_memfree_x( nactions->bv_val, ctx ); + BER_BVZERO( nactions ); + return LDAP_INVALID_SYNTAX; + } + + if ( i == 0 ) { + *nactions = nbv; + + } else { + nactions->bv_val = ber_memrealloc_x( nactions->bv_val, + nactions->bv_len + STRLENOF( "$" ) + + nbv.bv_len + 1, + ctx ); + nactions->bv_val[ nactions->bv_len ] = '$'; + AC_MEMCPY( &nactions->bv_val[ nactions->bv_len + 1 ], + nbv.bv_val, nbv.bv_len + 1 ); + ber_memfree_x( nbv.bv_val, ctx ); + nactions->bv_len += STRLENOF( "$" ) + nbv.bv_len; + } + BER_BVZERO( &nbv ); + } + + return LDAP_SUCCESS; +} + +static const struct berval *OpenLDAPaciscopes[] = { + &aci_bv[ ACI_BV_ENTRY ], + &aci_bv[ ACI_BV_CHILDREN ], + &aci_bv[ ACI_BV_SUBTREE ], + + NULL +}; + +static const struct berval *OpenLDAPacitypes[] = { + /* DN-valued */ + &aci_bv[ ACI_BV_GROUP ], + &aci_bv[ ACI_BV_ROLE ], + +/* set to one past the last DN-valued type with options (/) */ +#define LAST_OPTIONAL 2 + + &aci_bv[ ACI_BV_ACCESS_ID ], + &aci_bv[ ACI_BV_SUBTREE ], + &aci_bv[ ACI_BV_ONELEVEL ], + &aci_bv[ ACI_BV_CHILDREN ], + +/* set to one past the last DN-valued type */ +#define LAST_DNVALUED 6 + + /* non DN-valued */ + &aci_bv[ ACI_BV_DNATTR ], + &aci_bv[ ACI_BV_PUBLIC ], + &aci_bv[ ACI_BV_USERS ], + &aci_bv[ ACI_BV_SELF ], + &aci_bv[ ACI_BV_SET ], + &aci_bv[ ACI_BV_SET_REF ], + + NULL +}; + +static int +OpenLDAPaciValidate( + Syntax *syntax, + struct berval *val ) +{ + struct berval oid = BER_BVNULL, + scope = BER_BVNULL, + rights = BER_BVNULL, + type = BER_BVNULL, + subject = BER_BVNULL; + int idx; + int rc; + + if ( BER_BVISEMPTY( val ) ) { + Debug( LDAP_DEBUG_ACL, "aciValidatet: value is empty\n", 0, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + /* oid */ + if ( acl_get_part( val, 0, '#', &oid ) < 0 || + numericoidValidate( NULL, &oid ) != LDAP_SUCCESS ) + { + /* NOTE: the numericoidValidate() is rather pedantic; + * I'd replace it with X-ORDERED VALUES so that + * it's guaranteed values are maintained and used + * in the desired order */ + Debug( LDAP_DEBUG_ACL, "aciValidate: invalid oid '%s'\n", oid.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + /* scope */ + if ( acl_get_part( val, 1, '#', &scope ) < 0 || + bv_getcaseidx( &scope, OpenLDAPaciscopes ) == -1 ) + { + Debug( LDAP_DEBUG_ACL, "aciValidate: invalid scope '%s'\n", scope.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + /* rights */ + if ( acl_get_part( val, 2, '#', &rights ) < 0 || + OpenLDAPaciValidateRights( &rights ) != LDAP_SUCCESS ) + { + return LDAP_INVALID_SYNTAX; + } + + /* type */ + if ( acl_get_part( val, 3, '#', &type ) < 0 ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: missing type in '%s'\n", val->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + idx = bv_getcaseidx( &type, OpenLDAPacitypes ); + if ( idx == -1 ) { + struct berval isgr; + + if ( acl_get_part( &type, 0, '/', &isgr ) < 0 ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: invalid type '%s'\n", type.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + idx = bv_getcaseidx( &isgr, OpenLDAPacitypes ); + if ( idx == -1 || idx >= LAST_OPTIONAL ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: invalid type '%s'\n", isgr.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + } + + /* subject */ + bv_get_tail( val, &type, &subject ); + if ( subject.bv_val[ 0 ] != '#' ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: missing subject in '%s'\n", val->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + if ( idx >= LAST_DNVALUED ) { + if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_DNATTR ] ) { + AttributeDescription *ad = NULL; + const char *text = NULL; + + rc = slap_bv2ad( &subject, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: unknown dn attribute '%s'\n", subject.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + if ( ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) { + /* FIXME: allow nameAndOptionalUID? */ + Debug( LDAP_DEBUG_ACL, "aciValidate: wrong syntax for dn attribute '%s'\n", subject.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + } + + /* not a DN */ + return LDAP_SUCCESS; + + } else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_GROUP ] + || OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_ROLE ] ) + { + /* do {group|role}/oc/at check */ + struct berval ocbv = BER_BVNULL, + atbv = BER_BVNULL; + + ocbv.bv_val = ber_bvchr( &type, '/' ); + if ( ocbv.bv_val != NULL ) { + ocbv.bv_val++; + ocbv.bv_len = type.bv_len + - ( ocbv.bv_val - type.bv_val ); + + atbv.bv_val = ber_bvchr( &ocbv, '/' ); + if ( atbv.bv_val != NULL ) { + AttributeDescription *ad = NULL; + const char *text = NULL; + int rc; + + atbv.bv_val++; + atbv.bv_len = type.bv_len + - ( atbv.bv_val - type.bv_val ); + ocbv.bv_len = atbv.bv_val - ocbv.bv_val - 1; + + rc = slap_bv2ad( &atbv, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: unknown group attribute '%s'\n", atbv.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + } + + if ( oc_bvfind( &ocbv ) == NULL ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: unknown group '%s'\n", ocbv.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + } + } + + if ( BER_BVISEMPTY( &subject ) ) { + /* empty DN invalid */ + Debug( LDAP_DEBUG_ACL, "aciValidate: missing dn in '%s'\n", val->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + subject.bv_val++; + subject.bv_len--; + + /* FIXME: pass DN syntax? */ + rc = dnValidate( NULL, &subject ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ACL, "aciValidate: invalid dn '%s'\n", subject.bv_val, 0, 0 ); + } + return rc; +} + +static int +OpenLDAPaciPrettyNormal( + struct berval *val, + struct berval *out, + void *ctx, + int normalize ) +{ + struct berval oid = BER_BVNULL, + scope = BER_BVNULL, + rights = BER_BVNULL, + nrights = BER_BVNULL, + type = BER_BVNULL, + ntype = BER_BVNULL, + subject = BER_BVNULL, + nsubject = BER_BVNULL; + int idx, + rc = LDAP_SUCCESS, + freesubject = 0, + freetype = 0; + char *ptr; + + BER_BVZERO( out ); + + if ( BER_BVISEMPTY( val ) ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: value is empty\n", 0, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + /* oid: if valid, it's already normalized */ + if ( acl_get_part( val, 0, '#', &oid ) < 0 || + numericoidValidate( NULL, &oid ) != LDAP_SUCCESS ) + { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid oid '%s'\n", oid.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + + /* scope: normalize by replacing with OpenLDAPaciscopes */ + if ( acl_get_part( val, 1, '#', &scope ) < 0 ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing scope in '%s'\n", val->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + idx = bv_getcaseidx( &scope, OpenLDAPaciscopes ); + if ( idx == -1 ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid scope '%s'\n", scope.bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + scope = *OpenLDAPaciscopes[ idx ]; + + /* rights */ + if ( acl_get_part( val, 2, '#', &rights ) < 0 ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing rights in '%s'\n", val->bv_val, 0, 0 ); + return LDAP_INVALID_SYNTAX; + } + if ( OpenLDAPaciNormalizeRights( &rights, &nrights, ctx ) + != LDAP_SUCCESS ) + { + return LDAP_INVALID_SYNTAX; + } + + /* type */ + if ( acl_get_part( val, 3, '#', &type ) < 0 ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing type in '%s'\n", val->bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + idx = bv_getcaseidx( &type, OpenLDAPacitypes ); + if ( idx == -1 ) { + struct berval isgr; + + if ( acl_get_part( &type, 0, '/', &isgr ) < 0 ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'\n", type.bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + + idx = bv_getcaseidx( &isgr, OpenLDAPacitypes ); + if ( idx == -1 || idx >= LAST_OPTIONAL ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'\n", isgr.bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + } + ntype = *OpenLDAPacitypes[ idx ]; + + /* subject */ + bv_get_tail( val, &type, &subject ); + + if ( BER_BVISEMPTY( &subject ) || subject.bv_val[ 0 ] != '#' ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing subject in '%s'\n", val->bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + + subject.bv_val++; + subject.bv_len--; + + if ( idx < LAST_DNVALUED ) { + /* FIXME: pass DN syntax? */ + if ( normalize ) { + rc = dnNormalize( 0, NULL, NULL, + &subject, &nsubject, ctx ); + } else { + rc = dnPretty( NULL, &subject, &nsubject, ctx ); + } + + if ( rc == LDAP_SUCCESS ) { + freesubject = 1; + + } else { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid subject dn '%s'\n", subject.bv_val, 0, 0 ); + goto cleanup; + } + + if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_GROUP ] + || OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_ROLE ] ) + { + /* do {group|role}/oc/at check */ + struct berval ocbv = BER_BVNULL, + atbv = BER_BVNULL; + + ocbv.bv_val = ber_bvchr( &type, '/' ); + if ( ocbv.bv_val != NULL ) { + ObjectClass *oc = NULL; + AttributeDescription *ad = NULL; + const char *text = NULL; + int rc; + struct berval bv; + + bv.bv_len = ntype.bv_len; + + ocbv.bv_val++; + ocbv.bv_len = type.bv_len - ( ocbv.bv_val - type.bv_val ); + + atbv.bv_val = ber_bvchr( &ocbv, '/' ); + if ( atbv.bv_val != NULL ) { + atbv.bv_val++; + atbv.bv_len = type.bv_len + - ( atbv.bv_val - type.bv_val ); + ocbv.bv_len = atbv.bv_val - ocbv.bv_val - 1; + + rc = slap_bv2ad( &atbv, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: unknown group attribute '%s'\n", atbv.bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + + bv.bv_len += STRLENOF( "/" ) + ad->ad_cname.bv_len; + } + + oc = oc_bvfind( &ocbv ); + if ( oc == NULL ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid group '%s'\n", ocbv.bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + + bv.bv_len += STRLENOF( "/" ) + oc->soc_cname.bv_len; + bv.bv_val = ber_memalloc_x( bv.bv_len + 1, ctx ); + + ptr = bv.bv_val; + ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len ); + ptr[ 0 ] = '/'; + ptr++; + ptr = lutil_strncopy( ptr, + oc->soc_cname.bv_val, + oc->soc_cname.bv_len ); + if ( ad != NULL ) { + ptr[ 0 ] = '/'; + ptr++; + ptr = lutil_strncopy( ptr, + ad->ad_cname.bv_val, + ad->ad_cname.bv_len ); + } + ptr[ 0 ] = '\0'; + + ntype = bv; + freetype = 1; + } + } + + } else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_DNATTR ] ) { + AttributeDescription *ad = NULL; + const char *text = NULL; + int rc; + + rc = slap_bv2ad( &subject, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: unknown dn attribute '%s'\n", subject.bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + + if ( ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) { + /* FIXME: allow nameAndOptionalUID? */ + Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: wrong syntax for dn attribute '%s'\n", subject.bv_val, 0, 0 ); + rc = LDAP_INVALID_SYNTAX; + goto cleanup; + } + + nsubject = ad->ad_cname; + + } else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET ] + || OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET_REF ] ) + { + /* NOTE: dunno how to normalize it... */ + nsubject = subject; + } + + + out->bv_len = + oid.bv_len + STRLENOF( "#" ) + + scope.bv_len + STRLENOF( "#" ) + + nrights.bv_len + STRLENOF( "#" ) + + ntype.bv_len + STRLENOF( "#" ) + + nsubject.bv_len; + + out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx ); + ptr = lutil_strncopy( out->bv_val, oid.bv_val, oid.bv_len ); + ptr[ 0 ] = '#'; + ptr++; + ptr = lutil_strncopy( ptr, scope.bv_val, scope.bv_len ); + ptr[ 0 ] = '#'; + ptr++; + ptr = lutil_strncopy( ptr, nrights.bv_val, nrights.bv_len ); + ptr[ 0 ] = '#'; + ptr++; + ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len ); + ptr[ 0 ] = '#'; + ptr++; + if ( !BER_BVISNULL( &nsubject ) ) { + ptr = lutil_strncopy( ptr, nsubject.bv_val, nsubject.bv_len ); + } + ptr[ 0 ] = '\0'; + +cleanup:; + if ( freesubject ) { + ber_memfree_x( nsubject.bv_val, ctx ); + } + + if ( freetype ) { + ber_memfree_x( ntype.bv_val, ctx ); + } + + if ( !BER_BVISNULL( &nrights ) ) { + ber_memfree_x( nrights.bv_val, ctx ); + } + + return rc; +} + +static int +OpenLDAPaciPretty( + Syntax *syntax, + struct berval *val, + struct berval *out, + void *ctx ) +{ + return OpenLDAPaciPrettyNormal( val, out, ctx, 0 ); +} + +static int +OpenLDAPaciNormalize( + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *out, + void *ctx ) +{ + return OpenLDAPaciPrettyNormal( val, out, ctx, 1 ); +} + +#if SLAPD_ACI_ENABLED == SLAPD_MOD_DYNAMIC +/* + * FIXME: need config and Makefile.am code to ease building + * as dynamic module + */ +int +init_module( int argc, char *argv[] ) +{ + return dynacl_aci_init(); +} +#endif /* SLAPD_ACI_ENABLED == SLAPD_MOD_DYNAMIC */ + +#endif /* SLAPD_ACI_ENABLED */ + diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c new file mode 100644 index 0000000..1e441e9 --- /dev/null +++ b/servers/slapd/acl.c @@ -0,0 +1,2689 @@ +/* acl.c - routines to parse and check acl's */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software . + * + * Copyright 1998-2018 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* Portions Copyright (c) 1995 Regents of the University of Michigan. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. + */ + +#include "portable.h" + +#include + +#include +#include +#include + +#include "slap.h" +#include "sets.h" +#include "lber_pvt.h" +#include "lutil.h" + +#define ACL_BUF_SIZE 1024 /* use most appropriate size */ + +static const struct berval acl_bv_ip_eq = BER_BVC( "IP=" ); +#ifdef LDAP_PF_INET6 +static const struct berval acl_bv_ipv6_eq = BER_BVC( "IP=[" ); +#endif /* LDAP_PF_INET6 */ +#ifdef LDAP_PF_LOCAL +static const struct berval acl_bv_path_eq = BER_BVC("PATH="); +#endif /* LDAP_PF_LOCAL */ + +static AccessControl * slap_acl_get( + AccessControl *ac, int *count, + Operation *op, Entry *e, + AttributeDescription *desc, + struct berval *val, + AclRegexMatches *matches, + slap_mask_t *mask, + AccessControlState *state ); + +static slap_control_t slap_acl_mask( + AccessControl *ac, + AccessControl *prev, + slap_mask_t *mask, + Operation *op, Entry *e, + AttributeDescription *desc, + struct berval *val, + AclRegexMatches *matches, + int count, + AccessControlState *state, + slap_access_t access ); + +static int regex_matches( + struct berval *pat, char *str, + struct berval *dn_matches, struct berval *val_matches, + AclRegexMatches *matches); + +typedef struct AclSetCookie { + SetCookie asc_cookie; +#define asc_op asc_cookie.set_op + Entry *asc_e; +} AclSetCookie; + + +SLAP_SET_GATHER acl_set_gather; +SLAP_SET_GATHER acl_set_gather2; + +/* + * access_allowed - check whether op->o_ndn is allowed the requested access + * to entry e, attribute attr, value val. if val is null, access to + * the whole attribute is assumed (all values). + * + * This routine loops through all access controls and calls + * slap_acl_mask() on each applicable access control. + * The loop exits when a definitive answer is reached or + * or no more controls remain. + * + * returns: + * 0 access denied + * 1 access granted + * + * Notes: + * - can be legally called with op == NULL + * - can be legally called with op->o_bd == NULL + */ + +int +slap_access_always_allowed( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + assert( maskp != NULL ); + + /* assign all */ + ACL_LVL_ASSIGN_MANAGE( *maskp ); + + return 1; +} + +#define MATCHES_DNMAXCOUNT(m) \ + ( sizeof ( (m)->dn_data ) / sizeof( *(m)->dn_data ) ) +#define MATCHES_VALMAXCOUNT(m) \ + ( sizeof ( (m)->val_data ) / sizeof( *(m)->val_data ) ) +#define MATCHES_MEMSET(m) do { \ + memset( (m)->dn_data, '\0', sizeof( (m)->dn_data ) ); \ + memset( (m)->val_data, '\0', sizeof( (m)->val_data ) ); \ + (m)->dn_count = MATCHES_DNMAXCOUNT( (m) ); \ + (m)->val_count = MATCHES_VALMAXCOUNT( (m) ); \ +} while ( 0 /* CONSTCOND */ ) + +int +slap_access_allowed( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + int ret = 1; + int count; + AccessControl *a, *prev; + +#ifdef LDAP_DEBUG + char accessmaskbuf[ACCESSMASK_MAXLEN]; +#endif + slap_mask_t mask; + slap_control_t control; + slap_access_t access_level; + const char *attr; + AclRegexMatches matches; + AccessControlState acl_state = ACL_STATE_INIT; + static AccessControlState state_init = ACL_STATE_INIT; + + assert( op != NULL ); + assert( e != NULL ); + assert( desc != NULL ); + assert( maskp != NULL ); + + access_level = ACL_LEVEL( access ); + attr = desc->ad_cname.bv_val; + + assert( attr != NULL ); + + ACL_INIT( mask ); + + /* grant database root access */ + if ( be_isroot( op ) ) { + Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); + mask = ACL_LVL_MANAGE; + goto done; + } + + /* + * no-user-modification operational attributes are ignored + * by ACL_WRITE checking as any found here are not provided + * by the user + * + * NOTE: but they are not ignored for ACL_MANAGE, because + * if we get here it means a non-root user is trying to + * manage data, so we need to check its privileges. + */ + if ( access_level == ACL_WRITE_ + && is_at_no_user_mod( desc->ad_type ) + && desc != slap_schema.si_ad_entry + && desc != slap_schema.si_ad_children ) + { + Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" + " %s access granted\n", + attr, 0, 0 ); + goto done; + } + + /* use backend default access if no backend acls */ + if ( op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) { + int i; + + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: backend default %s " + "access %s to \"%s\"\n", + access2str( access ), + op->o_bd->be_dfltaccess >= access_level ? "granted" : "denied", + op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); + ret = op->o_bd->be_dfltaccess >= access_level; + + mask = ACL_PRIV_LEVEL; + for ( i = ACL_NONE; i <= op->o_bd->be_dfltaccess; i++ ) { + ACL_PRIV_SET( mask, ACL_ACCESS2PRIV( i ) ); + } + + goto done; + } + + ret = 0; + control = ACL_BREAK; + + if ( state == NULL ) + state = &acl_state; + if ( state->as_desc == desc && + state->as_access == access && + state->as_vd_acl_present ) + { + a = state->as_vd_acl; + count = state->as_vd_acl_count; + if ( state->as_fe_done ) + state->as_fe_done--; + ACL_PRIV_ASSIGN( mask, state->as_vd_mask ); + } else { + *state = state_init; + + a = NULL; + count = 0; + ACL_PRIV_ASSIGN( mask, *maskp ); + } + + MATCHES_MEMSET( &matches ); + prev = a; + + while ( ( a = slap_acl_get( a, &count, op, e, desc, val, + &matches, &mask, state ) ) != NULL ) + { + int i; + int dnmaxcount = MATCHES_DNMAXCOUNT( &matches ); + int valmaxcount = MATCHES_VALMAXCOUNT( &matches ); + regmatch_t *dn_data = matches.dn_data; + regmatch_t *val_data = matches.val_data; + + /* DN matches */ + for ( i = 0; i < dnmaxcount && dn_data[i].rm_eo > 0; i++ ) { + char *data = e->e_ndn; + + Debug( LDAP_DEBUG_ACL, "=> match[dn%d]: %d %d ", i, + (int)dn_data[i].rm_so, + (int)dn_data[i].rm_eo ); + if ( dn_data[i].rm_so <= dn_data[0].rm_eo ) { + int n; + for ( n = dn_data[i].rm_so; + n < dn_data[i].rm_eo; n++ ) { + Debug( LDAP_DEBUG_ACL, "%c", + data[n], 0, 0 ); + } + } + Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 ); + } + + /* val matches */ + for ( i = 0; i < valmaxcount && val_data[i].rm_eo > 0; i++ ) { + char *data = val->bv_val; + + Debug( LDAP_DEBUG_ACL, "=> match[val%d]: %d %d ", i, + (int)val_data[i].rm_so, + (int)val_data[i].rm_eo ); + if ( val_data[i].rm_so <= val_data[0].rm_eo ) { + int n; + for ( n = val_data[i].rm_so; + n < val_data[i].rm_eo; n++ ) { + Debug( LDAP_DEBUG_ACL, "%c", + data[n], 0, 0 ); + } + } + Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 ); + } + + control = slap_acl_mask( a, prev, &mask, op, + e, desc, val, &matches, count, state, access ); + + if ( control != ACL_BREAK ) { + break; + } + + MATCHES_MEMSET( &matches ); + prev = a; + } + + if ( ACL_IS_INVALID( mask ) ) { + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: \"%s\" (%s) invalid!\n", + e->e_dn, attr, 0 ); + ACL_PRIV_ASSIGN( mask, *maskp ); + + } else if ( control == ACL_BREAK ) { + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: no more rules\n", 0, 0, 0 ); + + goto done; + } + + ret = ACL_GRANT( mask, access ); + + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: %s access %s by %s\n", + access2str( access ), ret ? "granted" : "denied", + accessmask2str( mask, accessmaskbuf, 1 ) ); + +done: + ACL_PRIV_ASSIGN( *maskp, mask ); + return ret; +} + +int +fe_access_allowed( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + BackendDB *be_orig; + int rc; + + /* + * NOTE: control gets here if FIXME + * if an appropriate backend cannot be selected for the operation, + * we assume that the frontend should handle this + * FIXME: should select_backend() take care of this, + * and return frontendDB instead of NULL? maybe for some value + * of the flags? + */ + be_orig = op->o_bd; + + if ( op->o_bd == NULL ) { + op->o_bd = select_backend( &op->o_req_ndn, 0 ); + if ( op->o_bd == NULL ) + op->o_bd = frontendDB; + } + rc = slap_access_allowed( op, e, desc, val, access, state, maskp ); + op->o_bd = be_orig; + + return rc; +} + +int +access_allowed_mask( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + int ret = 1; + int be_null = 0; + +#ifdef LDAP_DEBUG + char accessmaskbuf[ACCESSMASK_MAXLEN]; +#endif + slap_mask_t mask; + slap_access_t access_level; + const char *attr; + + assert( e != NULL ); + assert( desc != NULL ); + + access_level = ACL_LEVEL( access ); + + assert( access_level > ACL_NONE ); + + ACL_INIT( mask ); + if ( maskp ) ACL_INVALIDATE( *maskp ); + + attr = desc->ad_cname.bv_val; + + assert( attr != NULL ); + + if ( op ) { + if ( op->o_acl_priv != ACL_NONE ) { + access = op->o_acl_priv; + + } else if ( op->o_is_auth_check && + ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) + { + access = ACL_AUTH; + + } else if ( get_relax( op ) && access_level == ACL_WRITE_ && + desc == slap_schema.si_ad_entry ) + { + access = ACL_MANAGE; + } + } + + if ( state != NULL ) { + if ( state->as_desc == desc && + state->as_access == access && + state->as_result != -1 && + !state->as_vd_acl_present ) + { + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: result was in cache (%s)\n", + attr, 0, 0 ); + return state->as_result; + } else { + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: result not in cache (%s)\n", + attr, 0, 0 ); + } + } + + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: %s access to \"%s\" \"%s\" requested\n", + access2str( access ), e->e_dn, attr ); + + if ( op == NULL ) { + /* no-op call */ + goto done; + } + + if ( op->o_bd == NULL ) { + op->o_bd = LDAP_STAILQ_FIRST( &backendDB ); + be_null = 1; + + /* FIXME: experimental; use first backend rules + * iff there is no global_acl (ITS#3100) + */ + if ( frontendDB->be_acl != NULL ) { + op->o_bd = frontendDB; + } + } + assert( op->o_bd != NULL ); + + /* this is enforced in backend_add() */ + if ( op->o_bd->bd_info->bi_access_allowed ) { + /* delegate to backend */ + ret = op->o_bd->bd_info->bi_access_allowed( op, e, + desc, val, access, state, &mask ); + + } else { + /* use default (but pass through frontend + * for global ACL overlays) */ + ret = frontendDB->bd_info->bi_access_allowed( op, e, + desc, val, access, state, &mask ); + } + + if ( !ret ) { + if ( ACL_IS_INVALID( mask ) ) { + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: \"%s\" (%s) invalid!\n", + e->e_dn, attr, 0 ); + ACL_INIT( mask ); + + } else { + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: no more rules\n", 0, 0, 0 ); + + goto done; + } + } + + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: %s access %s by %s\n", + access2str( access ), ret ? "granted" : "denied", + accessmask2str( mask, accessmaskbuf, 1 ) ); + +done: + if ( state != NULL ) { + state->as_access = access; + state->as_result = ret; + state->as_desc = desc; + } + if ( be_null ) op->o_bd = NULL; + if ( maskp ) ACL_PRIV_ASSIGN( *maskp, mask ); + return ret; +} + + +/* + * slap_acl_get - return the acl applicable to entry e, attribute + * attr. the acl returned is suitable for use in subsequent calls to + * acl_access_allowed(). + */ + +static AccessControl * +slap_acl_get( + AccessControl *a, + int *count, + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + AclRegexMatches *matches, + slap_mask_t *mask, + AccessControlState *state ) +{ + const char *attr; + ber_len_t dnlen; + AccessControl *prev; + + assert( e != NULL ); + assert( count != NULL ); + assert( desc != NULL ); + assert( state != NULL ); + + attr = desc->ad_cname.bv_val; + + assert( attr != NULL ); + + if( a == NULL ) { + if( op->o_bd == NULL || op->o_bd->be_acl == NULL ) { + a = frontendDB->be_acl; + } else { + a = op->o_bd->be_acl; + } + prev = NULL; + + assert( a != NULL ); + if ( a == frontendDB->be_acl ) + state->as_fe_done = 1; + } else { + prev = a; + a = a->acl_next; + } + + dnlen = e->e_nname.bv_len; + + retry: + for ( ; a != NULL; prev = a, a = a->acl_next ) { + (*count) ++; + + if ( a != frontendDB->be_acl && state->as_fe_done ) + state->as_fe_done++; + + if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) { + if ( a->acl_dn_style == ACL_STYLE_REGEX ) { + Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", + *count, a->acl_dn_pat.bv_val, (int) a->acl_dn_re.re_nsub ); + if ( regexec ( &a->acl_dn_re, + e->e_ndn, + matches->dn_count, + matches->dn_data, 0 ) ) + continue; + + } else { + ber_len_t patlen; + + Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n", + *count, a->acl_dn_pat.bv_val, 0 ); + patlen = a->acl_dn_pat.bv_len; + if ( dnlen < patlen ) + continue; + + if ( a->acl_dn_style == ACL_STYLE_BASE ) { + /* base dn -- entire object DN must match */ + if ( dnlen != patlen ) + continue; + + } else if ( a->acl_dn_style == ACL_STYLE_ONE ) { + ber_len_t rdnlen = 0; + ber_len_t sep = 0; + + if ( dnlen <= patlen ) + continue; + + if ( patlen > 0 ) { + if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) + continue; + sep = 1; + } + + rdnlen = dn_rdnlen( NULL, &e->e_nname ); + if ( rdnlen + patlen + sep != dnlen ) + continue; + + } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) { + if ( dnlen > patlen && !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) + continue; + + } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) { + if ( dnlen <= patlen ) + continue; + if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) + continue; + } + + if ( strcmp( a->acl_dn_pat.bv_val, e->e_ndn + dnlen - patlen ) != 0 ) + continue; + } + + Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] matched\n", + *count, 0, 0 ); + } + + if ( a->acl_attrs && !ad_inlist( desc, a->acl_attrs ) ) { + matches->dn_data[0].rm_so = -1; + matches->dn_data[0].rm_eo = -1; + matches->val_data[0].rm_so = -1; + matches->val_data[0].rm_eo = -1; + continue; + } + + /* Is this ACL only for a specific value? */ + if ( a->acl_attrval.bv_val ) { + if ( val == NULL ) { + continue; + } + + if ( !state->as_vd_acl_present ) { + state->as_vd_acl_present = 1; + state->as_vd_acl = prev; + state->as_vd_acl_count = *count - 1; + ACL_PRIV_ASSIGN ( state->as_vd_mask, *mask ); + } + + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) { + Debug( LDAP_DEBUG_ACL, + "acl_get: valpat %s\n", + a->acl_attrval.bv_val, 0, 0 ); + if ( regexec ( &a->acl_attrval_re, + val->bv_val, + matches->val_count, + matches->val_data, 0 ) ) + { + continue; + } + + } else { + int match = 0; + const char *text; + Debug( LDAP_DEBUG_ACL, + "acl_get: val %s\n", + a->acl_attrval.bv_val, 0, 0 ); + + if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) { + if (value_match( &match, desc, + a->acl_attrval_mr, 0, + val, &a->acl_attrval, &text ) != LDAP_SUCCESS || + match ) + continue; + + } else { + ber_len_t patlen, vdnlen; + + patlen = a->acl_attrval.bv_len; + vdnlen = val->bv_len; + + if ( vdnlen < patlen ) + continue; + + if ( a->acl_attrval_style == ACL_STYLE_BASE ) { + if ( vdnlen > patlen ) + continue; + + } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) { + ber_len_t rdnlen = 0; + + if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) ) + continue; + + rdnlen = dn_rdnlen( NULL, val ); + if ( rdnlen + patlen + 1 != vdnlen ) + continue; + + } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) { + if ( vdnlen > patlen && !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) ) + continue; + + } else if ( a->acl_attrval_style == ACL_STYLE_CHILDREN ) { + if ( vdnlen <= patlen ) + continue; + + if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) ) + continue; + } + + if ( strcmp( a->acl_attrval.bv_val, val->bv_val + vdnlen - patlen ) ) + continue; + } + } + } + + if ( a->acl_filter != NULL ) { + ber_int_t rc = test_filter( NULL, e, a->acl_filter ); + if ( rc != LDAP_COMPARE_TRUE ) { + continue; + } + } + + Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] attr %s\n", + *count, attr, 0); + return a; + } + + if ( !state->as_fe_done ) { + state->as_fe_done = 1; + a = frontendDB->be_acl; + goto retry; + } + + Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 ); + return( NULL ); +} + +/* + * Record value-dependent access control state + */ +#define ACL_RECORD_VALUE_STATE do { \ + if( state && !state->as_vd_acl_present ) { \ + state->as_vd_acl_present = 1; \ + state->as_vd_acl = prev; \ + state->as_vd_acl_count = count - 1; \ + ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \ + } \ + } while( 0 ) + +static int +acl_mask_dn( + Operation *op, + Entry *e, + struct berval *val, + AccessControl *a, + AclRegexMatches *matches, + slap_dn_access *bdn, + struct berval *opndn ) +{ + /* + * if access applies to the entry itself, and the + * user is bound as somebody in the same namespace as + * the entry, OR the given dn matches the dn pattern + */ + /* + * NOTE: styles "anonymous", "users" and "self" + * have been moved to enum slap_style_t, whose + * value is set in a_dn_style; however, the string + * is maintained in a_dn_pat. + */ + + if ( bdn->a_style == ACL_STYLE_ANONYMOUS ) { + if ( !BER_BVISEMPTY( opndn ) ) { + return 1; + } + + } else if ( bdn->a_style == ACL_STYLE_USERS ) { + if ( BER_BVISEMPTY( opndn ) ) { + return 1; + } + + } else if ( bdn->a_style == ACL_STYLE_SELF ) { + struct berval ndn, selfndn; + int level; + + if ( BER_BVISEMPTY( opndn ) || BER_BVISNULL( &e->e_nname ) ) { + return 1; + } + + level = bdn->a_self_level; + if ( level < 0 ) { + selfndn = *opndn; + ndn = e->e_nname; + level = -level; + + } else { + ndn = *opndn; + selfndn = e->e_nname; + } + + for ( ; level > 0; level-- ) { + if ( BER_BVISEMPTY( &ndn ) ) { + break; + } + dnParent( &ndn, &ndn ); + } + + if ( BER_BVISEMPTY( &ndn ) || !dn_match( &ndn, &selfndn ) ) + { + return 1; + } + + } else if ( bdn->a_style == ACL_STYLE_REGEX ) { + if ( !ber_bvccmp( &bdn->a_pat, '*' ) ) { + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; + int rc = 0; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; + + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { + case ACL_STYLE_REGEX: + if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { + tmp_matchesp = matches; + break; + } + /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ + + case ACL_STYLE_BASE: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; + break; + + case ACL_STYLE_ONE: + case ACL_STYLE_SUBTREE: + case ACL_STYLE_CHILDREN: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 2; + break; + + default: + /* error */ + rc = 1; + break; + } + + if ( rc ) { + return 1; + } + + if ( !regex_matches( &bdn->a_pat, opndn->bv_val, + &e->e_nname, NULL, tmp_matchesp ) ) + { + return 1; + } + } + + } else { + struct berval pat; + ber_len_t patlen, odnlen; + int got_match = 0; + + if ( e->e_dn == NULL ) + return 1; + + if ( bdn->a_expand ) { + struct berval bv; + char buf[ACL_BUF_SIZE]; + + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; + int rc = 0; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + + /* Expand value regex */ + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { + case ACL_STYLE_REGEX: + if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { + tmp_matchesp = matches; + break; + } + /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ + + case ACL_STYLE_BASE: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; + break; + + case ACL_STYLE_ONE: + case ACL_STYLE_SUBTREE: + case ACL_STYLE_CHILDREN: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 2; + break; + + default: + /* error */ + rc = 1; + break; + } + + if ( rc ) { + return 1; + } + + if ( acl_string_expand( &bv, &bdn->a_pat, + &e->e_nname, + val, tmp_matchesp ) ) + { + return 1; + } + + if ( dnNormalize(0, NULL, NULL, &bv, + &pat, op->o_tmpmemctx ) + != LDAP_SUCCESS ) + { + /* did not expand to a valid dn */ + return 1; + } + + } else { + pat = bdn->a_pat; + } + + patlen = pat.bv_len; + odnlen = opndn->bv_len; + if ( odnlen < patlen ) { + goto dn_match_cleanup; + + } + + if ( bdn->a_style == ACL_STYLE_BASE ) { + /* base dn -- entire object DN must match */ + if ( odnlen != patlen ) { + goto dn_match_cleanup; + } + + } else if ( bdn->a_style == ACL_STYLE_ONE ) { + ber_len_t rdnlen = 0; + + if ( odnlen <= patlen ) { + goto dn_match_cleanup; + } + + if ( !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { + goto dn_match_cleanup; + } + + rdnlen = dn_rdnlen( NULL, opndn ); + if ( rdnlen - ( odnlen - patlen - 1 ) != 0 ) { + goto dn_match_cleanup; + } + + } else if ( bdn->a_style == ACL_STYLE_SUBTREE ) { + if ( odnlen > patlen && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { + goto dn_match_cleanup; + } + + } else if ( bdn->a_style == ACL_STYLE_CHILDREN ) { + if ( odnlen <= patlen ) { + goto dn_match_cleanup; + } + + if ( !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { + goto dn_match_cleanup; + } + + } else if ( bdn->a_style == ACL_STYLE_LEVEL ) { + int level = bdn->a_level; + struct berval ndn; + + if ( odnlen <= patlen ) { + goto dn_match_cleanup; + } + + if ( level > 0 && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) + { + goto dn_match_cleanup; + } + + ndn = *opndn; + for ( ; level > 0; level-- ) { + if ( BER_BVISEMPTY( &ndn ) ) { + goto dn_match_cleanup; + } + dnParent( &ndn, &ndn ); + if ( ndn.bv_len < patlen ) { + goto dn_match_cleanup; + } + } + + if ( ndn.bv_len != patlen ) { + goto dn_match_cleanup; + } + } + + got_match = !strcmp( pat.bv_val, &opndn->bv_val[ odnlen - patlen ] ); + +dn_match_cleanup:; + if ( pat.bv_val != bdn->a_pat.bv_val ) { + slap_sl_free( pat.bv_val, op->o_tmpmemctx ); + } + + if ( !got_match ) { + return 1; + } + } + + return 0; +} + +static int +acl_mask_dnattr( + Operation *op, + Entry *e, + struct berval *val, + AccessControl *a, + int count, + AccessControlState *state, + slap_mask_t *mask, + slap_dn_access *bdn, + struct berval *opndn ) +{ + Attribute *at; + struct berval bv; + int rc, match = 0; + const char *text; + const char *attr = bdn->a_at->ad_cname.bv_val; + + assert( attr != NULL ); + + if ( BER_BVISEMPTY( opndn ) ) { + return 1; + } + + Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n", attr, 0, 0 ); + bv = *opndn; + + /* see if asker is listed in dnattr */ + for ( at = attrs_find( e->e_attrs, bdn->a_at ); + at != NULL; + at = attrs_find( at->a_next, bdn->a_at ) ) + { + if ( attr_valfind( at, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + &bv, NULL, op->o_tmpmemctx ) == 0 ) + { + /* found it */ + match = 1; + break; + } + } + + if ( match ) { + /* have a dnattr match. if this is a self clause then + * the target must also match the op dn. + */ + if ( bdn->a_self ) { + /* check if the target is an attribute. */ + if ( val == NULL ) return 1; + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, bdn->a_at, + bdn->a_at->ad_type->sat_equality, 0, + val, &bv, &text ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + return 1; + } + + } else { + /* no dnattr match, check if this is a self clause */ + if ( ! bdn->a_self ) + return 1; + + /* this is a self clause, check if the target is an + * attribute. + */ + if ( val == NULL ) + return 1; + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, bdn->a_at, + bdn->a_at->ad_type->sat_equality, 0, + val, &bv, &text ); + + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + return 1; + } + + return 0; +} + + +/* + * slap_acl_mask - modifies mask based upon the given acl and the + * requested access to entry e, attribute attr, value val. if val + * is null, access to the whole attribute is assumed (all values). + * + * returns 0 access NOT allowed + * 1 access allowed + */ + +static slap_control_t +slap_acl_mask( + AccessControl *a, + AccessControl *prev, + slap_mask_t *mask, + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + AclRegexMatches *matches, + int count, + AccessControlState *state, + slap_access_t access ) +{ + int i; + Access *b; +#ifdef LDAP_DEBUG + char accessmaskbuf[ACCESSMASK_MAXLEN]; +#endif /* DEBUG */ + const char *attr; +#ifdef SLAP_DYNACL + slap_mask_t a2pmask = ACL_ACCESS2PRIV( access ); +#endif /* SLAP_DYNACL */ + + assert( a != NULL ); + assert( mask != NULL ); + assert( desc != NULL ); + + attr = desc->ad_cname.bv_val; + + assert( attr != NULL ); + + Debug( LDAP_DEBUG_ACL, + "=> acl_mask: access to entry \"%s\", attr \"%s\" requested\n", + e->e_dn, attr, 0 ); + + Debug( LDAP_DEBUG_ACL, + "=> acl_mask: to %s by \"%s\", (%s) \n", + val ? "value" : "all values", + op->o_ndn.bv_val ? op->o_ndn.bv_val : "", + accessmask2str( *mask, accessmaskbuf, 1 ) ); + + + b = a->acl_access; + i = 1; + + for ( ; b != NULL; b = b->a_next, i++ ) { + slap_mask_t oldmask, modmask; + + ACL_INVALIDATE( modmask ); + + /* check for the "self" modifier in the field */ + if ( b->a_dn.a_self ) { + const char *dummy; + int rc, match = 0; + + ACL_RECORD_VALUE_STATE; + + /* must have DN syntax */ + if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName && + !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue; + + /* check if the target is an attribute. */ + if ( val == NULL ) continue; + + /* a DN must be present */ + if ( BER_BVISEMPTY( &op->o_ndn ) ) { + continue; + } + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, desc, + desc->ad_type->sat_equality, 0, + val, &op->o_ndn, &dummy ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + continue; + } + + /* AND clauses */ + if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) { + Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n", + b->a_dn_pat.bv_val, 0, 0); + /* + * if access applies to the entry itself, and the + * user is bound as somebody in the same namespace as + * the entry, OR the given dn matches the dn pattern + */ + /* + * NOTE: styles "anonymous", "users" and "self" + * have been moved to enum slap_style_t, whose + * value is set in a_dn_style; however, the string + * is maintained in a_dn_pat. + */ + + if ( acl_mask_dn( op, e, val, a, matches, + &b->a_dn, &op->o_ndn ) ) + { + continue; + } + } + + if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) { + struct berval ndn; + + Debug( LDAP_DEBUG_ACL, "<= check a_realdn_pat: %s\n", + b->a_realdn_pat.bv_val, 0, 0); + /* + * if access applies to the entry itself, and the + * user is bound as somebody in the same namespace as + * the entry, OR the given dn matches the dn pattern + */ + /* + * NOTE: styles "anonymous", "users" and "self" + * have been moved to enum slap_style_t, whose + * value is set in a_dn_style; however, the string + * is maintained in a_dn_pat. + */ + + if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) + { + ndn = op->o_conn->c_ndn; + } else { + ndn = op->o_ndn; + } + + if ( acl_mask_dn( op, e, val, a, matches, + &b->a_realdn, &ndn ) ) + { + continue; + } + } + + if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) { + if ( ! op->o_conn->c_listener ) { + continue; + } + Debug( LDAP_DEBUG_ACL, "<= check a_sockurl_pat: %s\n", + b->a_sockurl_pat.bv_val, 0, 0 ); + + if ( !ber_bvccmp( &b->a_sockurl_pat, '*' ) ) { + if ( b->a_sockurl_style == ACL_STYLE_REGEX) { + if ( !regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val, + &e->e_nname, val, matches ) ) + { + continue; + } + + } else if ( b->a_sockurl_style == ACL_STYLE_EXPAND ) { + struct berval bv; + char buf[ACL_BUF_SIZE]; + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + if ( acl_string_expand( &bv, &b->a_sockurl_pat, &e->e_nname, val, matches ) ) + { + continue; + } + + if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_listener_url ) != 0 ) + { + continue; + } + + } else { + if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &op->o_conn->c_listener_url ) != 0 ) + { + continue; + } + } + } + } + + if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) { + if ( !op->o_conn->c_peer_domain.bv_val ) { + continue; + } + Debug( LDAP_DEBUG_ACL, "<= check a_domain_pat: %s\n", + b->a_domain_pat.bv_val, 0, 0 ); + if ( !ber_bvccmp( &b->a_domain_pat, '*' ) ) { + if ( b->a_domain_style == ACL_STYLE_REGEX) { + if ( !regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val, + &e->e_nname, val, matches ) ) + { + continue; + } + } else { + char buf[ACL_BUF_SIZE]; + + struct berval cmp = op->o_conn->c_peer_domain; + struct berval pat = b->a_domain_pat; + + if ( b->a_domain_expand ) { + struct berval bv; + + bv.bv_len = sizeof(buf) - 1; + bv.bv_val = buf; + + if ( acl_string_expand(&bv, &b->a_domain_pat, &e->e_nname, val, matches) ) + { + continue; + } + pat = bv; + } + + if ( b->a_domain_style == ACL_STYLE_SUBTREE ) { + int offset = cmp.bv_len - pat.bv_len; + if ( offset < 0 ) { + continue; + } + + if ( offset == 1 || ( offset > 1 && cmp.bv_val[ offset - 1 ] != '.' ) ) { + continue; + } + + /* trim the domain */ + cmp.bv_val = &cmp.bv_val[ offset ]; + cmp.bv_len -= offset; + } + + if ( ber_bvstrcasecmp( &pat, &cmp ) != 0 ) { + continue; + } + } + } + } + + if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) { + if ( !op->o_conn->c_peer_name.bv_val ) { + continue; + } + Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n", + b->a_peername_pat.bv_val, 0, 0 ); + if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) { + if ( b->a_peername_style == ACL_STYLE_REGEX ) { + if ( !regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, + &e->e_nname, val, matches ) ) + { + continue; + } + + } else { + /* try exact match */ + if ( b->a_peername_style == ACL_STYLE_BASE ) { + if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 ) { + continue; + } + + } else if ( b->a_peername_style == ACL_STYLE_EXPAND ) { + struct berval bv; + char buf[ACL_BUF_SIZE]; + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + if ( acl_string_expand( &bv, &b->a_peername_pat, &e->e_nname, val, matches ) ) + { + continue; + } + + if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_peer_name ) != 0 ) { + continue; + } + + /* extract IP and try exact match */ + } else if ( b->a_peername_style == ACL_STYLE_IP ) { + char *port; + char buf[STRLENOF("255.255.255.255") + 1]; + struct berval ip; + unsigned long addr; + int port_number = -1; + + if ( strncasecmp( op->o_conn->c_peer_name.bv_val, + acl_bv_ip_eq.bv_val, + acl_bv_ip_eq.bv_len ) != 0 ) + continue; + + ip.bv_val = op->o_conn->c_peer_name.bv_val + acl_bv_ip_eq.bv_len; + ip.bv_len = op->o_conn->c_peer_name.bv_len - acl_bv_ip_eq.bv_len; + + port = strrchr( ip.bv_val, ':' ); + if ( port ) { + ip.bv_len = port - ip.bv_val; + ++port; + if ( lutil_atoi( &port_number, port ) != 0 ) + continue; + } + + /* the port check can be anticipated here */ + if ( b->a_peername_port != -1 && port_number != b->a_peername_port ) + continue; + + /* address longer than expected? */ + if ( ip.bv_len >= sizeof(buf) ) + continue; + + AC_MEMCPY( buf, ip.bv_val, ip.bv_len ); + buf[ ip.bv_len ] = '\0'; + + addr = inet_addr( buf ); + + /* unable to convert? */ + if ( addr == (unsigned long)(-1) ) + continue; + + if ( (addr & b->a_peername_mask) != b->a_peername_addr ) + continue; + +#ifdef LDAP_PF_INET6 + /* extract IPv6 and try exact match */ + } else if ( b->a_peername_style == ACL_STYLE_IPV6 ) { + char *port; + char buf[STRLENOF("FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF") + 1]; + struct berval ip; + struct in6_addr addr; + int port_number = -1; + + if ( strncasecmp( op->o_conn->c_peer_name.bv_val, + acl_bv_ipv6_eq.bv_val, + acl_bv_ipv6_eq.bv_len ) != 0 ) + continue; + + ip.bv_val = op->o_conn->c_peer_name.bv_val + acl_bv_ipv6_eq.bv_len; + ip.bv_len = op->o_conn->c_peer_name.bv_len - acl_bv_ipv6_eq.bv_len; + + port = strrchr( ip.bv_val, ']' ); + if ( port ) { + ip.bv_len = port - ip.bv_val; + ++port; + if ( port[0] == ':' && lutil_atoi( &port_number, ++port ) != 0 ) + continue; + } + + /* the port check can be anticipated here */ + if ( b->a_peername_port != -1 && port_number != b->a_peername_port ) + continue; + + /* address longer than expected? */ + if ( ip.bv_len >= sizeof(buf) ) + continue; + + AC_MEMCPY( buf, ip.bv_val, ip.bv_len ); + buf[ ip.bv_len ] = '\0'; + + if ( inet_pton( AF_INET6, buf, &addr ) != 1 ) + continue; + + /* check mask */ + if ( !slap_addr6_mask( &addr, &b->a_peername_mask6, &b->a_peername_addr6 ) ) + continue; +#endif /* LDAP_PF_INET6 */ + +#ifdef LDAP_PF_LOCAL + /* extract path and try exact match */ + } else if ( b->a_peername_style == ACL_STYLE_PATH ) { + struct berval path; + + if ( strncmp( op->o_conn->c_peer_name.bv_val, + acl_bv_path_eq.bv_val, + acl_bv_path_eq.bv_len ) != 0 ) + continue; + + path.bv_val = op->o_conn->c_peer_name.bv_val + + acl_bv_path_eq.bv_len; + path.bv_len = op->o_conn->c_peer_name.bv_len + - acl_bv_path_eq.bv_len; + + if ( ber_bvcmp( &b->a_peername_pat, &path ) != 0 ) + continue; + +#endif /* LDAP_PF_LOCAL */ + + /* exact match (very unlikely...) */ + } else if ( ber_bvcmp( &op->o_conn->c_peer_name, &b->a_peername_pat ) != 0 ) { + continue; + } + } + } + } + + if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) { + if ( BER_BVISNULL( &op->o_conn->c_sock_name ) ) { + continue; + } + Debug( LDAP_DEBUG_ACL, "<= check a_sockname_path: %s\n", + b->a_sockname_pat.bv_val, 0, 0 ); + if ( !ber_bvccmp( &b->a_sockname_pat, '*' ) ) { + if ( b->a_sockname_style == ACL_STYLE_REGEX) { + if ( !regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val, + &e->e_nname, val, matches ) ) + { + continue; + } + + } else if ( b->a_sockname_style == ACL_STYLE_EXPAND ) { + struct berval bv; + char buf[ACL_BUF_SIZE]; + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + if ( acl_string_expand( &bv, &b->a_sockname_pat, &e->e_nname, val, matches ) ) + { + continue; + } + + if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_sock_name ) != 0 ) { + continue; + } + + } else { + if ( ber_bvstrcasecmp( &b->a_sockname_pat, &op->o_conn->c_sock_name ) != 0 ) { + continue; + } + } + } + } + + if ( b->a_dn_at != NULL ) { + if ( acl_mask_dnattr( op, e, val, a, + count, state, mask, + &b->a_dn, &op->o_ndn ) ) + { + continue; + } + } + + if ( b->a_realdn_at != NULL ) { + struct berval ndn; + + if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) + { + ndn = op->o_conn->c_ndn; + } else { + ndn = op->o_ndn; + } + + if ( acl_mask_dnattr( op, e, val, a, + count, state, mask, + &b->a_realdn, &ndn ) ) + { + continue; + } + } + + if ( !BER_BVISEMPTY( &b->a_group_pat ) ) { + struct berval bv; + struct berval ndn = BER_BVNULL; + int rc; + + if ( op->o_ndn.bv_len == 0 ) { + continue; + } + + Debug( LDAP_DEBUG_ACL, "<= check a_group_pat: %s\n", + b->a_group_pat.bv_val, 0, 0 ); + + /* b->a_group is an unexpanded entry name, expanded it should be an + * entry with objectclass group* and we test to see if odn is one of + * the values in the attribute group + */ + /* see if asker is listed in dnattr */ + if ( b->a_group_style == ACL_STYLE_EXPAND ) { + char buf[ACL_BUF_SIZE]; + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; + + bv.bv_len = sizeof(buf) - 1; + bv.bv_val = buf; + + rc = 0; + + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { + case ACL_STYLE_REGEX: + if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { + tmp_matchesp = matches; + break; + } + + /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ + case ACL_STYLE_BASE: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; + break; + + case ACL_STYLE_ONE: + case ACL_STYLE_SUBTREE: + case ACL_STYLE_CHILDREN: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 2; + break; + + default: + /* error */ + rc = 1; + break; + } + + if ( rc ) { + continue; + } + + if ( acl_string_expand( &bv, &b->a_group_pat, + &e->e_nname, val, + tmp_matchesp ) ) + { + continue; + } + + if ( dnNormalize( 0, NULL, NULL, &bv, &ndn, + op->o_tmpmemctx ) != LDAP_SUCCESS ) + { + /* did not expand to a valid dn */ + continue; + } + + bv = ndn; + + } else { + bv = b->a_group_pat; + } + + rc = backend_group( op, e, &bv, &op->o_ndn, + b->a_group_oc, b->a_group_at ); + + if ( ndn.bv_val ) { + slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); + } + + if ( rc != 0 ) { + continue; + } + } + + if ( !BER_BVISEMPTY( &b->a_set_pat ) ) { + struct berval bv; + char buf[ACL_BUF_SIZE]; + + Debug( LDAP_DEBUG_ACL, "<= check a_set_pat: %s\n", + b->a_set_pat.bv_val, 0, 0 ); + + if ( b->a_set_style == ACL_STYLE_EXPAND ) { + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; + int rc = 0; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + + rc = 0; + + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { + case ACL_STYLE_REGEX: + if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { + tmp_matchesp = matches; + break; + } + + /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ + case ACL_STYLE_BASE: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; + break; + + case ACL_STYLE_ONE: + case ACL_STYLE_SUBTREE: + case ACL_STYLE_CHILDREN: + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; tmp_matches.dn_count = 2; + break; + + default: + /* error */ + rc = 1; + break; + } + + if ( rc ) { + continue; + } + + if ( acl_string_expand( &bv, &b->a_set_pat, + &e->e_nname, val, + tmp_matchesp ) ) + { + continue; + } + + } else { + bv = b->a_set_pat; + } + + if ( acl_match_set( &bv, op, e, NULL ) == 0 ) { + continue; + } + } + + if ( b->a_authz.sai_ssf ) { + Debug( LDAP_DEBUG_ACL, "<= check a_authz.sai_ssf: ACL %u > OP %u\n", + b->a_authz.sai_ssf, op->o_ssf, 0 ); + if ( b->a_authz.sai_ssf > op->o_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_transport_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_transport_ssf: ACL %u > OP %u\n", + b->a_authz.sai_transport_ssf, op->o_transport_ssf, 0 ); + if ( b->a_authz.sai_transport_ssf > op->o_transport_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_tls_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_tls_ssf: ACL %u > OP %u\n", + b->a_authz.sai_tls_ssf, op->o_tls_ssf, 0 ); + if ( b->a_authz.sai_tls_ssf > op->o_tls_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_sasl_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_sasl_ssf: ACL %u > OP %u\n", + b->a_authz.sai_sasl_ssf, op->o_sasl_ssf, 0 ); + if ( b->a_authz.sai_sasl_ssf > op->o_sasl_ssf ) { + continue; + } + } + +#ifdef SLAP_DYNACL + if ( b->a_dynacl ) { + slap_dynacl_t *da; + slap_access_t tgrant, tdeny; + + Debug( LDAP_DEBUG_ACL, "<= check a_dynacl\n", + 0, 0, 0 ); + + /* this case works different from the others above. + * since dynamic ACL's themselves give permissions, we need + * to first check b->a_access_mask, the ACL's access level. + */ + /* first check if the right being requested + * is allowed by the ACL clause. + */ + if ( ! ACL_PRIV_ISSET( b->a_access_mask, a2pmask ) ) { + continue; + } + + /* start out with nothing granted, nothing denied */ + ACL_INVALIDATE(tgrant); + ACL_INVALIDATE(tdeny); + + for ( da = b->a_dynacl; da; da = da->da_next ) { + slap_access_t grant, + deny; + + ACL_INVALIDATE(grant); + ACL_INVALIDATE(deny); + + Debug( LDAP_DEBUG_ACL, " <= check a_dynacl: %s\n", + da->da_name, 0, 0 ); + + /* + * XXXmanu Only DN matches are supplied + * sending attribute values matches require + * an API update + */ + (void)da->da_mask( da->da_private, op, e, desc, + val, matches->dn_count, matches->dn_data, + &grant, &deny ); + + tgrant |= grant; + tdeny |= deny; + } + + /* remove anything that the ACL clause does not allow */ + tgrant &= b->a_access_mask & ACL_PRIV_MASK; + tdeny &= ACL_PRIV_MASK; + + /* see if we have anything to contribute */ + if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) { + continue; + } + + /* this could be improved by changing slap_acl_mask so that it can deal with + * by clauses that return grant/deny pairs. Right now, it does either + * additive or subtractive rights, but not both at the same time. So, + * we need to combine the grant/deny pair into a single rights mask in + * a smart way: if either grant or deny is "empty", then we use the + * opposite as is, otherwise we remove any denied rights from the grant + * rights mask and construct an additive mask. + */ + if (ACL_IS_INVALID(tdeny)) { + modmask = tgrant | ACL_PRIV_ADDITIVE; + + } else if (ACL_IS_INVALID(tgrant)) { + modmask = tdeny | ACL_PRIV_SUBSTRACTIVE; + + } else { + modmask = (tgrant & ~tdeny) | ACL_PRIV_ADDITIVE; + } + + } else +#endif /* SLAP_DYNACL */ + { + modmask = b->a_access_mask; + } + + Debug( LDAP_DEBUG_ACL, + "<= acl_mask: [%d] applying %s (%s)\n", + i, accessmask2str( modmask, accessmaskbuf, 1 ), + b->a_type == ACL_CONTINUE + ? "continue" + : b->a_type == ACL_BREAK + ? "break" + : "stop" ); + /* save old mask */ + oldmask = *mask; + + if( ACL_IS_ADDITIVE(modmask) ) { + /* add privs */ + ACL_PRIV_SET( *mask, modmask ); + + /* cleanup */ + ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK ); + + } else if( ACL_IS_SUBTRACTIVE(modmask) ) { + /* substract privs */ + ACL_PRIV_CLR( *mask, modmask ); + + /* cleanup */ + ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK ); + + } else { + /* assign privs */ + *mask = modmask; + } + + Debug( LDAP_DEBUG_ACL, + "<= acl_mask: [%d] mask: %s\n", + i, accessmask2str(*mask, accessmaskbuf, 1), 0 ); + + if( b->a_type == ACL_CONTINUE ) { + continue; + + } else if ( b->a_type == ACL_BREAK ) { + return ACL_BREAK; + + } else { + return ACL_STOP; + } + } + + /* implicit "by * none" clause */ + ACL_INIT(*mask); + + Debug( LDAP_DEBUG_ACL, + "<= acl_mask: no more clauses, returning %s (stop)\n", + accessmask2str(*mask, accessmaskbuf, 1), 0, 0 ); + return ACL_STOP; +} + +/* + * acl_check_modlist - check access control on the given entry to see if + * it allows the given modifications by the user associated with op. + * returns 1 if mods allowed ok + * 0 mods not allowed + */ + +int +acl_check_modlist( + Operation *op, + Entry *e, + Modifications *mlist ) +{ + struct berval *bv; + AccessControlState state = ACL_STATE_INIT; + Backend *be; + int be_null = 0; + int ret = 1; /* default is access allowed */ + + be = op->o_bd; + if ( be == NULL ) { + be = LDAP_STAILQ_FIRST(&backendDB); + be_null = 1; + op->o_bd = be; + } + assert( be != NULL ); + + /* If ADD attribute checking is not enabled, just allow it */ + if ( op->o_tag == LDAP_REQ_ADD && !SLAP_DBACL_ADD( be )) + return 1; + + /* short circuit root database access */ + if ( be_isroot( op ) ) { + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: granted to database root\n", + 0, 0, 0 ); + goto done; + } + + /* use backend default access if no backend acls */ + if( op->o_bd != NULL && op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) { + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: backend default %s access %s to \"%s\"\n", + access2str( ACL_WRITE ), + op->o_bd->be_dfltaccess >= ACL_WRITE + ? "granted" : "denied", + op->o_dn.bv_val ); + ret = (op->o_bd->be_dfltaccess >= ACL_WRITE); + goto done; + } + + for ( ; mlist != NULL; mlist = mlist->sml_next ) { + /* + * Internal mods are ignored by ACL_WRITE checking + */ + if ( mlist->sml_flags & SLAP_MOD_INTERNAL ) { + Debug( LDAP_DEBUG_ACL, "acl: internal mod %s:" + " modify access granted\n", + mlist->sml_desc->ad_cname.bv_val, 0, 0 ); + continue; + } + + /* + * no-user-modification operational attributes are ignored + * by ACL_WRITE checking as any found here are not provided + * by the user + */ + if ( is_at_no_user_mod( mlist->sml_desc->ad_type ) + && ! ( mlist->sml_flags & SLAP_MOD_MANAGING ) ) + { + Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:" + " modify access granted\n", + mlist->sml_desc->ad_cname.bv_val, 0, 0 ); + continue; + } + + switch ( mlist->sml_op ) { + case LDAP_MOD_REPLACE: + case LDAP_MOD_INCREMENT: + /* + * We must check both permission to delete the whole + * attribute and permission to add the specific attributes. + * This prevents abuse from selfwriters. + */ + if ( ! access_allowed( op, e, + mlist->sml_desc, NULL, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WDEL, + &state ) ) + { + ret = 0; + goto done; + } + + if ( mlist->sml_values == NULL ) break; + + /* fall thru to check value to add */ + + case LDAP_MOD_ADD: + case SLAP_MOD_ADD_IF_NOT_PRESENT: + assert( mlist->sml_values != NULL ); + + if ( mlist->sml_op == SLAP_MOD_ADD_IF_NOT_PRESENT + && attr_find( e->e_attrs, mlist->sml_desc ) ) + { + break; + } + + for ( bv = mlist->sml_nvalues + ? mlist->sml_nvalues : mlist->sml_values; + bv->bv_val != NULL; bv++ ) + { + if ( ! access_allowed( op, e, + mlist->sml_desc, bv, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WADD, + &state ) ) + { + ret = 0; + goto done; + } + } + break; + + case LDAP_MOD_DELETE: + case SLAP_MOD_SOFTDEL: + if ( mlist->sml_values == NULL ) { + if ( ! access_allowed( op, e, + mlist->sml_desc, NULL, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WDEL, + &state ) ) + { + ret = 0; + goto done; + } + break; + } + for ( bv = mlist->sml_nvalues + ? mlist->sml_nvalues : mlist->sml_values; + bv->bv_val != NULL; bv++ ) + { + if ( ! access_allowed( op, e, + mlist->sml_desc, bv, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WDEL, + &state ) ) + { + ret = 0; + goto done; + } + } + break; + + case SLAP_MOD_SOFTADD: + /* allow adding attribute via modrdn thru */ + break; + + default: + assert( 0 ); + /* not reached */ + ret = 0; + break; + } + } + +done: + if (be_null) op->o_bd = NULL; + return( ret ); +} + +int +acl_get_part( + struct berval *list, + int ix, + char sep, + struct berval *bv ) +{ + int len; + char *p; + + if ( bv ) { + BER_BVZERO( bv ); + } + len = list->bv_len; + p = list->bv_val; + while ( len >= 0 && --ix >= 0 ) { + while ( --len >= 0 && *p++ != sep ) + ; + } + while ( len >= 0 && *p == ' ' ) { + len--; + p++; + } + if ( len < 0 ) { + return -1; + } + + if ( !bv ) { + return 0; + } + + bv->bv_val = p; + while ( --len >= 0 && *p != sep ) { + bv->bv_len++; + p++; + } + while ( bv->bv_len > 0 && *--p == ' ' ) { + bv->bv_len--; + } + + return bv->bv_len; +} + +typedef struct acl_set_gather_t { + SetCookie *cookie; + BerVarray bvals; +} acl_set_gather_t; + +static int +acl_set_cb_gather( Operation *op, SlapReply *rs ) +{ + acl_set_gather_t *p = (acl_set_gather_t *)op->o_callback->sc_private; + + if ( rs->sr_type == REP_SEARCH ) { + BerValue bvals[ 2 ]; + BerVarray bvalsp = NULL; + int j; + + for ( j = 0; !BER_BVISNULL( &rs->sr_attrs[ j ].an_name ); j++ ) { + AttributeDescription *desc = rs->sr_attrs[ j ].an_desc; + + if ( desc == NULL ) { + continue; + } + + if ( desc == slap_schema.si_ad_entryDN ) { + bvalsp = bvals; + bvals[ 0 ] = rs->sr_entry->e_nname; + BER_BVZERO( &bvals[ 1 ] ); + + } else { + Attribute *a; + + a = attr_find( rs->sr_entry->e_attrs, desc ); + if ( a != NULL ) { + bvalsp = a->a_nvals; + } + } + + if ( bvalsp ) { + p->bvals = slap_set_join( p->cookie, p->bvals, + ( '|' | SLAP_SET_RREF ), bvalsp ); + } + } + + } else { + switch ( rs->sr_type ) { + case REP_SEARCHREF: + case REP_INTERMEDIATE: + /* ignore */ + break; + + default: + assert( rs->sr_type == REP_RESULT ); + break; + } + } + + return 0; +} + +BerVarray +acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *desc ) +{ + AclSetCookie *cp = (AclSetCookie *)cookie; + int rc = 0; + LDAPURLDesc *ludp = NULL; + Operation op2 = { 0 }; + SlapReply rs = {REP_RESULT}; + AttributeName anlist[ 2 ], *anlistp = NULL; + int nattrs = 0; + slap_callback cb = { NULL, acl_set_cb_gather, NULL, NULL }; + acl_set_gather_t p = { 0 }; + + /* this routine needs to return the bervals instead of + * plain strings, since syntax is not known. It should + * also return the syntax or some "comparison cookie". + */ + if ( strncasecmp( name->bv_val, "ldap:///", STRLENOF( "ldap:///" ) ) != 0 ) { + return acl_set_gather2( cookie, name, desc ); + } + + rc = ldap_url_parse( name->bv_val, &ludp ); + if ( rc != LDAP_URL_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: unable to parse URL=\"%s\"\n", + cp->asc_op->o_log_prefix, name->bv_val, 0 ); + + rc = LDAP_PROTOCOL_ERROR; + goto url_done; + } + + if ( ( ludp->lud_host && ludp->lud_host[0] ) || ludp->lud_exts ) + { + /* host part must be empty */ + /* extensions parts must be empty */ + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: host/exts must be absent in URL=\"%s\"\n", + cp->asc_op->o_log_prefix, name->bv_val, 0 ); + + rc = LDAP_PROTOCOL_ERROR; + goto url_done; + } + + /* Grab the searchbase and see if an appropriate database can be found */ + ber_str2bv( ludp->lud_dn, 0, 0, &op2.o_req_dn ); + rc = dnNormalize( 0, NULL, NULL, &op2.o_req_dn, + &op2.o_req_ndn, cp->asc_op->o_tmpmemctx ); + BER_BVZERO( &op2.o_req_dn ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: DN=\"%s\" normalize failed\n", + cp->asc_op->o_log_prefix, ludp->lud_dn, 0 ); + + goto url_done; + } + + op2.o_bd = select_backend( &op2.o_req_ndn, 1 ); + if ( ( op2.o_bd == NULL ) || ( op2.o_bd->be_search == NULL ) ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: no database could be selected for DN=\"%s\"\n", + cp->asc_op->o_log_prefix, op2.o_req_ndn.bv_val, 0 ); + + rc = LDAP_NO_SUCH_OBJECT; + goto url_done; + } + + /* Grab the filter */ + if ( ludp->lud_filter ) { + ber_str2bv_x( ludp->lud_filter, 0, 0, &op2.ors_filterstr, + cp->asc_op->o_tmpmemctx ); + op2.ors_filter = str2filter_x( cp->asc_op, op2.ors_filterstr.bv_val ); + if ( op2.ors_filter == NULL ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: unable to parse filter=\"%s\"\n", + cp->asc_op->o_log_prefix, op2.ors_filterstr.bv_val, 0 ); + + rc = LDAP_PROTOCOL_ERROR; + goto url_done; + } + + } else { + op2.ors_filterstr = *slap_filterstr_objectClass_pres; + op2.ors_filter = (Filter *)slap_filter_objectClass_pres; + } + + + /* Grab the scope */ + op2.ors_scope = ludp->lud_scope; + + /* Grap the attributes */ + if ( ludp->lud_attrs ) { + int i; + + for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ ) + ; + + anlistp = slap_sl_calloc( sizeof( AttributeName ), nattrs + 2, + cp->asc_op->o_tmpmemctx ); + + for ( i = 0, nattrs = 0; ludp->lud_attrs[ i ]; i++ ) { + struct berval name; + AttributeDescription *desc = NULL; + const char *text = NULL; + + ber_str2bv( ludp->lud_attrs[ i ], 0, 0, &name ); + rc = slap_bv2ad( &name, &desc, &text ); + if ( rc == LDAP_SUCCESS ) { + anlistp[ nattrs ].an_name = name; + anlistp[ nattrs ].an_desc = desc; + nattrs++; + } + } + + } else { + anlistp = anlist; + } + + anlistp[ nattrs ].an_name = desc->ad_cname; + anlistp[ nattrs ].an_desc = desc; + + BER_BVZERO( &anlistp[ nattrs + 1 ].an_name ); + + p.cookie = cookie; + + op2.o_hdr = cp->asc_op->o_hdr; + op2.o_tag = LDAP_REQ_SEARCH; + op2.o_ndn = op2.o_bd->be_rootndn; + op2.o_callback = &cb; + slap_op_time( &op2.o_time, &op2.o_tincr ); + op2.o_do_not_cache = 1; + op2.o_is_auth_check = 0; + ber_dupbv_x( &op2.o_req_dn, &op2.o_req_ndn, cp->asc_op->o_tmpmemctx ); + op2.ors_slimit = SLAP_NO_LIMIT; + op2.ors_tlimit = SLAP_NO_LIMIT; + op2.ors_attrs = anlistp; + op2.ors_attrsonly = 0; + op2.o_private = cp->asc_op->o_private; + op2.o_extra = cp->asc_op->o_extra; + + cb.sc_private = &p; + + rc = op2.o_bd->be_search( &op2, &rs ); + if ( rc != 0 ) { + goto url_done; + } + +url_done:; + if ( op2.ors_filter && op2.ors_filter != slap_filter_objectClass_pres ) { + filter_free_x( cp->asc_op, op2.ors_filter, 1 ); + } + if ( !BER_BVISNULL( &op2.o_req_ndn ) ) { + slap_sl_free( op2.o_req_ndn.bv_val, cp->asc_op->o_tmpmemctx ); + } + if ( !BER_BVISNULL( &op2.o_req_dn ) ) { + slap_sl_free( op2.o_req_dn.bv_val, cp->asc_op->o_tmpmemctx ); + } + if ( ludp ) { + ldap_free_urldesc( ludp ); + } + if ( anlistp && anlistp != anlist ) { + slap_sl_free( anlistp, cp->asc_op->o_tmpmemctx ); + } + + return p.bvals; +} + +BerVarray +acl_set_gather2( SetCookie *cookie, struct berval *name, AttributeDescription *desc ) +{ + AclSetCookie *cp = (AclSetCookie *)cookie; + BerVarray bvals = NULL; + struct berval ndn; + int rc = 0; + + /* this routine needs to return the bervals instead of + * plain strings, since syntax is not known. It should + * also return the syntax or some "comparison cookie". + */ + rc = dnNormalize( 0, NULL, NULL, name, &ndn, cp->asc_op->o_tmpmemctx ); + if ( rc == LDAP_SUCCESS ) { + if ( desc == slap_schema.si_ad_entryDN ) { + bvals = (BerVarray)slap_sl_malloc( sizeof( BerValue ) * 2, + cp->asc_op->o_tmpmemctx ); + bvals[ 0 ] = ndn; + BER_BVZERO( &bvals[ 1 ] ); + BER_BVZERO( &ndn ); + + } else { + backend_attribute( cp->asc_op, + cp->asc_e, &ndn, desc, &bvals, ACL_NONE ); + } + + if ( !BER_BVISNULL( &ndn ) ) { + slap_sl_free( ndn.bv_val, cp->asc_op->o_tmpmemctx ); + } + } + + return bvals; +} + +int +acl_match_set ( + struct berval *subj, + Operation *op, + Entry *e, + struct berval *default_set_attribute ) +{ + struct berval set = BER_BVNULL; + int rc = 0; + AclSetCookie cookie; + + if ( default_set_attribute == NULL ) { + set = *subj; + + } else { + struct berval subjdn, ndn = BER_BVNULL; + struct berval setat; + BerVarray bvals = NULL; + const char *text; + AttributeDescription *desc = NULL; + + /* format of string is "entry/setAttrName" */ + if ( acl_get_part( subj, 0, '/', &subjdn ) < 0 ) { + return 0; + } + + if ( acl_get_part( subj, 1, '/', &setat ) < 0 ) { + setat = *default_set_attribute; + } + + /* + * NOTE: dnNormalize honors the ber_len field + * as the length of the dn to be normalized + */ + if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) { + if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS ) + { + backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE ); + if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) { + int i; + + set = bvals[0]; + BER_BVZERO( &bvals[0] ); + for ( i = 1; !BER_BVISNULL( &bvals[i] ); i++ ) + /* count */ ; + bvals[0].bv_val = bvals[i-1].bv_val; + BER_BVZERO( &bvals[i-1] ); + } + ber_bvarray_free_x( bvals, op->o_tmpmemctx ); + slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); + } + } + } + + if ( !BER_BVISNULL( &set ) ) { + cookie.asc_op = op; + cookie.asc_e = e; + rc = ( slap_set_filter( + acl_set_gather, + (SetCookie *)&cookie, &set, + &op->o_ndn, &e->e_nname, NULL ) > 0 ); + if ( set.bv_val != subj->bv_val ) { + slap_sl_free( set.bv_val, op->o_tmpmemctx ); + } + } + + return(rc); +} + +#ifdef SLAP_DYNACL + +/* + * dynamic ACL infrastructure + */ +static slap_dynacl_t *da_list = NULL; + +int +slap_dynacl_register( slap_dynacl_t *da ) +{ + slap_dynacl_t *tmp; + + for ( tmp = da_list; tmp; tmp = tmp->da_next ) { + if ( strcasecmp( da->da_name, tmp->da_name ) == 0 ) { + break; + } + } + + if ( tmp != NULL ) { + return -1; + } + + if ( da->da_mask == NULL ) { + return -1; + } + + da->da_private = NULL; + da->da_next = da_list; + da_list = da; + + return 0; +} + +static slap_dynacl_t * +slap_dynacl_next( slap_dynacl_t *da ) +{ + if ( da ) { + return da->da_next; + } + return da_list; +} + +slap_dynacl_t * +slap_dynacl_get( const char *name ) +{ + slap_dynacl_t *da; + + for ( da = slap_dynacl_next( NULL ); da; da = slap_dynacl_next( da ) ) { + if ( strcasecmp( da->da_name, name ) == 0 ) { + break; + } + } + + return da; +} +#endif /* SLAP_DYNACL */ + +/* + * statically built-in dynamic ACL initialization + */ +static int (*acl_init_func[])( void ) = { +#ifdef SLAP_DYNACL + /* TODO: remove when ACI will only be dynamic */ +#if SLAPD_ACI_ENABLED == SLAPD_MOD_STATIC + dynacl_aci_init, +#endif /* SLAPD_ACI_ENABLED */ +#endif /* SLAP_DYNACL */ + + NULL +}; + +int +acl_init( void ) +{ + int i, rc; + + for ( i = 0; acl_init_func[ i ] != NULL; i++ ) { + rc = (*(acl_init_func[ i ]))(); + if ( rc != 0 ) { + return rc; + } + } + + return 0; +} + +int +acl_string_expand( + struct berval *bv, + struct berval *pat, + struct berval *dn_matches, + struct berval *val_matches, + AclRegexMatches *matches) +{ + ber_len_t size; + char *sp; + char *dp; + int flag; + enum { DN_FLAG, VAL_FLAG } tflag; + + size = 0; + bv->bv_val[0] = '\0'; + bv->bv_len--; /* leave space for lone $ */ + + flag = 0; + tflag = DN_FLAG; + for ( dp = bv->bv_val, sp = pat->bv_val; size < bv->bv_len && + sp < pat->bv_val + pat->bv_len ; sp++ ) + { + /* did we previously see a $ */ + if ( flag ) { + if ( flag == 1 && *sp == '$' ) { + *dp++ = '$'; + size++; + flag = 0; + tflag = DN_FLAG; + + } else if ( flag == 2 && *sp == 'v' /*'}'*/) { + tflag = VAL_FLAG; + + } else if ( flag == 2 && *sp == 'd' /*'}'*/) { + tflag = DN_FLAG; + + } else if ( flag == 1 && *sp == '{' /*'}'*/) { + flag = 2; + + } else if ( *sp >= '0' && *sp <= '9' ) { + int nm; + regmatch_t *m; + char *data; + int n; + int i; + int l; + + n = *sp - '0'; + + if ( flag == 2 ) { + for ( sp++; *sp != '\0' && *sp != /*'{'*/ '}'; sp++ ) { + if ( *sp >= '0' && *sp <= '9' ) { + n = 10*n + ( *sp - '0' ); + } + } + + if ( *sp != /*'{'*/ '}' ) { + /* FIXME: error */ + return 1; + } + } + + switch (tflag) { + case DN_FLAG: + nm = matches->dn_count; + m = matches->dn_data; + data = dn_matches ? dn_matches->bv_val : NULL; + break; + case VAL_FLAG: + nm = matches->val_count; + m = matches->val_data; + data = val_matches ? val_matches->bv_val : NULL; + break; + default: + assert( 0 ); + } + if ( n >= nm ) { + /* FIXME: error */ + return 1; + } + if ( data == NULL ) { + /* FIXME: error */ + return 1; + } + + *dp = '\0'; + i = m[n].rm_so; + l = m[n].rm_eo; + + for ( ; size < bv->bv_len && i < l; size++, i++ ) { + *dp++ = data[i]; + } + *dp = '\0'; + + flag = 0; + tflag = DN_FLAG; + } + } else { + if (*sp == '$') { + flag = 1; + } else { + *dp++ = *sp; + size++; + } + } + } + + if ( flag ) { + /* must have ended with a single $ */ + *dp++ = '$'; + size++; + } + + *dp = '\0'; + bv->bv_len = size; + + Debug( LDAP_DEBUG_ACL, "=> acl_string_expand: pattern: %.*s\n", (int)pat->bv_len, pat->bv_val, 0 ); + Debug( LDAP_DEBUG_ACL, "=> acl_string_expand: expanded: %s\n", bv->bv_val, 0, 0 ); + + return 0; +} + +static int +regex_matches( + struct berval *pat, /* pattern to expand and match against */ + char *str, /* string to match against pattern */ + struct berval *dn_matches, /* buffer with $N expansion variables from DN */ + struct berval *val_matches, /* buffer with $N expansion variables from val */ + AclRegexMatches *matches /* offsets in buffer for $N expansion variables */ +) +{ + regex_t re; + char newbuf[ACL_BUF_SIZE]; + struct berval bv; + int rc; + + bv.bv_len = sizeof( newbuf ) - 1; + bv.bv_val = newbuf; + + if (str == NULL) { + str = ""; + }; + + if ( acl_string_expand( &bv, pat, dn_matches, val_matches, matches )) { + Debug( LDAP_DEBUG_TRACE, + "expand( \"%s\", \"%s\") failed\n", + pat->bv_val, str, 0 ); + return( 0 ); + } + rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE ); + if ( rc ) { + char error[ACL_BUF_SIZE]; + regerror( rc, &re, error, sizeof( error ) ); + + Debug( LDAP_DEBUG_TRACE, + "compile( \"%s\", \"%s\") failed %s\n", + pat->bv_val, str, error ); + return( 0 ); + } + + rc = regexec( &re, str, 0, NULL, 0 ); + regfree( &re ); + + Debug( LDAP_DEBUG_TRACE, + "=> regex_matches: string: %s\n", str, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, + "=> regex_matches: rc: %d %s\n", + rc, !rc ? "matches" : "no matches", 0 ); + return( !rc ); +} + diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c new file mode 100644 index 0000000..1ef4567 --- /dev/null +++ b/servers/slapd/aclparse.c @@ -0,0 +1,2869 @@ +/* aclparse.c - routines to parse and check acl's */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software . + * + * Copyright 1998-2018 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * . + */ +/* Portions Copyright (c) 1995 Regents of the University of Michigan. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. + */ + +#include "portable.h" + +#include + +#include +#include +#include +#include +#include + +#include "slap.h" +#include "lber_pvt.h" +#include "lutil.h" + +static const char style_base[] = "base"; +const char *style_strings[] = { + "regex", + "expand", + "exact", + "one", + "subtree", + "children", + "level", + "attrof", + "anonymous", + "users", + "self", + "ip", + "ipv6", + "path", + NULL +}; + +#define ACLBUF_CHUNKSIZE 8192 +static struct berval aclbuf; + +static void split(char *line, int splitchar, char **left, char **right); +static void access_append(Access **l, Access *a); +static void access_free( Access *a ); +static int acl_usage(void); + +static void acl_regex_normalized_dn(const char *src, struct berval *pat); + +#ifdef LDAP_DEBUG +static void print_acl(Backend *be, AccessControl *a); +#endif + +static int check_scope( BackendDB *be, AccessControl *a ); + +#ifdef SLAP_DYNACL +static int +slap_dynacl_config( + const char *fname, + int lineno, + Access *b, + const char *name, + const char *opts, + slap_style_t sty, + const char *right ) +{ + slap_dynacl_t *da, *tmp; + int rc = 0; + + for ( da = b->a_dynacl; da; da = da->da_next ) { + if ( strcasecmp( da->da_name, name ) == 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: dynacl \"%s\" already specified.\n", + fname, lineno, name ); + return acl_usage(); + } + } + + da = slap_dynacl_get( name ); + if ( da == NULL ) { + return -1; + } + + tmp = ch_malloc( sizeof( slap_dynacl_t ) ); + *tmp = *da; + + if ( tmp->da_parse ) { + rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private ); + if ( rc ) { + ch_free( tmp ); + return rc; + } + } + + tmp->da_next = b->a_dynacl; + b->a_dynacl = tmp; + + return 0; +} +#endif /* SLAP_DYNACL */ + +static void +regtest(const char *fname, int lineno, char *pat) { + int e; + regex_t re; + + char buf[ SLAP_TEXT_BUFLEN ]; + unsigned size; + + char *sp; + char *dp; + int flag; + + sp = pat; + dp = buf; + size = 0; + buf[0] = '\0'; + + for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) { + if (flag) { + if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) { + *dp++ = *sp; + size++; + } + flag = 0; + + } else { + if (*sp == '$') { + flag = 1; + } else { + *dp++ = *sp; + size++; + } + } + } + + *dp = '\0'; + if ( size >= (sizeof(buf) - 1) ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: regular expression \"%s\" too large\n", + fname, lineno, pat ); + (void)acl_usage(); + exit( EXIT_FAILURE ); + } + + if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) { + char error[ SLAP_TEXT_BUFLEN ]; + + regerror(e, &re, error, sizeof(error)); + + snprintf( buf, sizeof( buf ), + "regular expression \"%s\" bad because of %s", + pat, error ); + Debug( LDAP_DEBUG_ANY, + "%s: line %d: %s\n", + fname, lineno, buf ); + acl_usage(); + exit( EXIT_FAILURE ); + } + regfree(&re); +} + +/* + * Experimental + * + * Check if the pattern of an ACL, if any, matches the scope + * of the backend it is defined within. + */ +#define ACL_SCOPE_UNKNOWN (-2) +#define ACL_SCOPE_ERR (-1) +#define ACL_SCOPE_OK (0) +#define ACL_SCOPE_PARTIAL (1) +#define ACL_SCOPE_WARN (2) + +static int +check_scope( BackendDB *be, AccessControl *a ) +{ + ber_len_t patlen; + struct berval dn; + + dn = be->be_nsuffix[0]; + + if ( BER_BVISEMPTY( &dn ) ) { + return ACL_SCOPE_OK; + } + + if ( !BER_BVISEMPTY( &a->acl_dn_pat ) || + a->acl_dn_style != ACL_STYLE_REGEX ) + { + slap_style_t style = a->acl_dn_style; + + if ( style == ACL_STYLE_REGEX ) { + char dnbuf[SLAP_LDAPDN_MAXLEN + 2]; + char rebuf[SLAP_LDAPDN_MAXLEN + 1]; + ber_len_t rebuflen; + regex_t re; + int rc; + + /* add trailing '$' to database suffix to form + * a simple trial regex pattern "$" */ + AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val, + be->be_nsuffix[0].bv_len ); + dnbuf[be->be_nsuffix[0].bv_len] = '$'; + dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0'; + + if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) { + return ACL_SCOPE_WARN; + } + + /* remove trailing ')$', if any, from original + * regex pattern */ + rebuflen = a->acl_dn_pat.bv_len; + AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 ); + if ( rebuf[rebuflen - 1] == '$' ) { + rebuf[--rebuflen] = '\0'; + } + while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) { + rebuf[--rebuflen] = '\0'; + } + if ( rebuflen == be->be_nsuffix[0].bv_len ) { + rc = ACL_SCOPE_WARN; + goto regex_done; + } + + /* not a clear indication of scoping error, though */ + rc = regexec( &re, rebuf, 0, NULL, 0 ) + ? ACL_SCOPE_WARN : ACL_SCOPE_OK; + +regex_done:; + regfree( &re ); + return rc; + } + + patlen = a->acl_dn_pat.bv_len; + /* If backend suffix is longer than pattern, + * it is a potential mismatch (in the sense + * that a superior naming context could + * match */ + if ( dn.bv_len > patlen ) { + /* base is blatantly wrong */ + if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR; + + /* a style of one can be wrong if there is + * more than one level between the suffix + * and the pattern */ + if ( style == ACL_STYLE_ONE ) { + ber_len_t rdnlen = 0; + int sep = 0; + + if ( patlen > 0 ) { + if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) { + return ACL_SCOPE_ERR; + } + sep = 1; + } + + rdnlen = dn_rdnlen( NULL, &dn ); + if ( rdnlen != dn.bv_len - patlen - sep ) + return ACL_SCOPE_ERR; + } + + /* if the trailing part doesn't match, + * then it's an error */ + if ( strcmp( a->acl_dn_pat.bv_val, + &dn.bv_val[dn.bv_len - patlen] ) != 0 ) + { + return ACL_SCOPE_ERR; + } + + return ACL_SCOPE_PARTIAL; + } + + switch ( style ) { + case ACL_STYLE_BASE: + case ACL_STYLE_ONE: + case ACL_STYLE_CHILDREN: + case ACL_STYLE_SUBTREE: + break; + + default: + assert( 0 ); + break; + } + + if ( dn.bv_len < patlen && + !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] )) + { + return ACL_SCOPE_ERR; + } + + if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val ) + != 0 ) + { + return ACL_SCOPE_ERR; + } + + return ACL_SCOPE_OK; + } + + return ACL_SCOPE_UNKNOWN; +} + +int +parse_acl( + Backend *be, + const char *fname, + int lineno, + int argc, + char **argv, + int pos ) +{ + int i; + char *left, *right, *style; + struct berval bv; + AccessControl *a = NULL; + Access *b = NULL; + int rc; + const char *text; + + for ( i = 1; i < argc; i++ ) { + /* to clause - select which entries are protected */ + if ( strcasecmp( argv[i], "to" ) == 0 ) { + if ( a != NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "only one to clause allowed in access line\n", + fname, lineno, 0 ); + goto fail; + } + a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) ); + a->acl_attrval_style = ACL_STYLE_NONE; + for ( ++i; i < argc; i++ ) { + if ( strcasecmp( argv[i], "by" ) == 0 ) { + i--; + break; + } + + if ( strcasecmp( argv[i], "*" ) == 0 ) { + if ( !BER_BVISEMPTY( &a->acl_dn_pat ) || + a->acl_dn_style != ACL_STYLE_REGEX ) + { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: dn pattern" + " already specified in to clause.\n", + fname, lineno, 0 ); + goto fail; + } + + ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat ); + continue; + } + + split( argv[i], '=', &left, &right ); + split( left, '.', &left, &style ); + + if ( right == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "missing \"=\" in \"%s\" in to clause\n", + fname, lineno, left ); + goto fail; + } + + if ( strcasecmp( left, "dn" ) == 0 ) { + if ( !BER_BVISEMPTY( &a->acl_dn_pat ) || + a->acl_dn_style != ACL_STYLE_REGEX ) + { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: dn pattern" + " already specified in to clause.\n", + fname, lineno, 0 ); + goto fail; + } + + if ( style == NULL || *style == '\0' || + strcasecmp( style, "baseObject" ) == 0 || + strcasecmp( style, "base" ) == 0 || + strcasecmp( style, "exact" ) == 0 ) + { + a->acl_dn_style = ACL_STYLE_BASE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + + } else if ( strcasecmp( style, "oneLevel" ) == 0 || + strcasecmp( style, "one" ) == 0 ) + { + a->acl_dn_style = ACL_STYLE_ONE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + + } else if ( strcasecmp( style, "subtree" ) == 0 || + strcasecmp( style, "sub" ) == 0 ) + { + if( *right == '\0' ) { + ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat ); + + } else { + a->acl_dn_style = ACL_STYLE_SUBTREE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + } + + } else if ( strcasecmp( style, "children" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_CHILDREN; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + + } else if ( strcasecmp( style, "regex" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_REGEX; + + if ( *right == '\0' ) { + /* empty regex should match empty DN */ + a->acl_dn_style = ACL_STYLE_BASE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + + } else if ( strcmp(right, "*") == 0 + || strcmp(right, ".*") == 0 + || strcmp(right, ".*$") == 0 + || strcmp(right, "^.*") == 0 + || strcmp(right, "^.*$") == 0 + || strcmp(right, ".*$$") == 0 + || strcmp(right, "^.*$$") == 0 ) + { + ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat ); + + } else { + acl_regex_normalized_dn( right, &a->acl_dn_pat ); + } + + } else { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "unknown dn style \"%s\" in to clause\n", + fname, lineno, style ); + goto fail; + } + + continue; + } + + if ( strcasecmp( left, "filter" ) == 0 ) { + if ( (a->acl_filter = str2filter( right )) == NULL ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: bad filter \"%s\" in to clause\n", + fname, lineno, right ); + goto fail; + } + + } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */ + || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */ + { + if ( strcasecmp( left, "attr" ) == 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: \"attr\" " + "is deprecated (and undocumented); " + "use \"attrs\" instead.\n", + fname, lineno, 0 ); + } + + a->acl_attrs = str2anlist( a->acl_attrs, + right, "," ); + if ( a->acl_attrs == NULL ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unknown attr \"%s\" in to clause\n", + fname, lineno, right ); + goto fail; + } + + } else if ( strncasecmp( left, "val", 3 ) == 0 ) { + struct berval bv; + char *mr; + + if ( !BER_BVISEMPTY( &a->acl_attrval ) ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: attr val already specified in to clause.\n", + fname, lineno, 0 ); + goto fail; + } + if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) ) + { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: attr val requires a single attribute.\n", + fname, lineno, 0 ); + goto fail; + } + + ber_str2bv( right, 0, 0, &bv ); + a->acl_attrval_style = ACL_STYLE_BASE; + + mr = strchr( left, '/' ); + if ( mr != NULL ) { + mr[ 0 ] = '\0'; + mr++; + + a->acl_attrval_mr = mr_find( mr ); + if ( a->acl_attrval_mr == NULL ) { + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "invalid matching rule \"%s\".\n", + fname, lineno, mr ); + goto fail; + } + + if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) ) + { + char buf[ SLAP_TEXT_BUFLEN ]; + + snprintf( buf, sizeof( buf ), + "matching rule \"%s\" use " + "with attr \"%s\" not appropriate.", + mr, a->acl_attrs[ 0 ].an_name.bv_val ); + + + Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n", + fname, lineno, buf ); + goto fail; + } + } + + if ( style != NULL ) { + if ( strcasecmp( style, "regex" ) == 0 ) { + int e = regcomp( &a->acl_attrval_re, bv.bv_val, + REG_EXTENDED | REG_ICASE ); + if ( e ) { + char err[SLAP_TEXT_BUFLEN], + buf[ SLAP_TEXT_BUFLEN ]; + + regerror( e, &a->acl_attrval_re, err, sizeof( err ) ); + + snprintf( buf, sizeof( buf ), + "regular expression \"%s\" bad because of %s", + right, err ); + + Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n", + fname, lineno, buf ); + goto fail; + } + a->acl_attrval_style = ACL_STYLE_REGEX; + + } else { + /* FIXME: if the attribute has DN syntax, we might + * allow one, subtree and children styles as well */ + if ( !strcasecmp( style, "base" ) || + !strcasecmp( style, "exact" ) ) { + a->acl_attrval_style = ACL_STYLE_BASE; + + } else if ( a->acl_attrs[0].an_desc->ad_type-> + sat_syntax == slap_schema.si_syn_distinguishedName ) + { + if ( !strcasecmp( style, "baseObject" ) || + !strcasecmp( style, "base" ) ) + { + a->acl_attrval_style = ACL_STYLE_BASE; + } else if ( !strcasecmp( style, "onelevel" ) || + !strcasecmp( style, "one" ) ) + { + a->acl_attrval_style = ACL_STYLE_ONE; + } else if ( !strcasecmp( style, "subtree" ) || + !strcasecmp( style, "sub" ) ) + { + a->acl_attrval_style = ACL_STYLE_SUBTREE; + } else if ( !strcasecmp( style, "children" ) ) { + a->acl_attrval_style = ACL_STYLE_CHILDREN; + } else { + char buf[ SLAP_TEXT_BUFLEN ]; + + snprintf( buf, sizeof( buf ), + "unknown val.